Factory/metallb-chart/templates/rbac.yaml

{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "metallb.fullname" . }}:controller
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["services", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list"]
- apiGroups: [""]
  resources: ["services/status"]
  verbs: ["update"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
  resourceNames: ["metallb-webhook-configuration"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
  resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
  verbs: ["list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  resourceNames: ["bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
    "bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["list", "watch"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ template "metallb.fullname" . }}:speaker
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["services", "endpoints", "nodes", "namespaces"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
  resources: ["endpointslices"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
- apiGroups: ["metallb.io"]
  resources: ["servicel2statuses","servicel2statuses/status"]
  verbs: ["*"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
  resources: ["subjectaccessreviews"]
  verbs: ["create"]
{{- end }}
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
- apiGroups: ["frrk8s.metallb.io"]
  resources: ["frrconfigurations"]
  verbs: ["get", "list", "watch","create","update"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "metallb.fullname" . }}-pod-lister
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list", "get"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bfdprofiles"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bgppeers"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["l2advertisements"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bgpadvertisements"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["ipaddresspools"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["communities"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "metallb.fullname" . }}-controller
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
{{- if .Values.speaker.memberlist.enabled }}
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "get", "list", "watch"]
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: [{{ include "metallb.secretName" . | quote }}]
  verbs: ["list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
  verbs: ["get"]
{{- end }}
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["ipaddresspools"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
  resources: ["bgppeers"]
  verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
  resources: ["bgpadvertisements"]
  verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
  resources: ["l2advertisements"]
  verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
  resources: ["communities"]
  verbs: ["get", "list","watch"]
- apiGroups: ["metallb.io"]
  resources: ["bfdprofiles"]
  verbs: ["get", "list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "metallb.fullname" . }}:controller
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
  name: {{ template "metallb.controller.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "metallb.fullname" . }}:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: {{ template "metallb.fullname" . }}:speaker
  labels:
    {{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
  name: {{ template "metallb.speaker.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ template "metallb.fullname" . }}:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "metallb.fullname" . }}-pod-lister
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "metallb.fullname" . }}-pod-lister
subjects:
- kind: ServiceAccount
  name: {{ include "metallb.speaker.serviceAccountName" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "metallb.fullname" . }}-controller
  namespace: {{ .Release.Namespace | quote }}
  labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "metallb.fullname" . }}-controller
subjects:
- kind: ServiceAccount
  name: {{ include "metallb.controller.serviceAccountName" . }}
{{- end -}}
unpack obscpio files 2024-10-22 09:51:51 +02:00			`{{- if .Values.rbac.create -}}`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: {{ template "metallb.fullname" . }}:controller`
			`labels:`
			`{{- include "metallb.labels" . \| nindent 4 }}`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["services", "namespaces"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: [""]`
			`resources: ["nodes"]`
			`verbs: ["list"]`
			`- apiGroups: [""]`
			`resources: ["services/status"]`
			`verbs: ["update"]`
			`- apiGroups: [""]`
			`resources: ["events"]`
			`verbs: ["create", "patch"]`
			`- apiGroups: ["admissionregistration.k8s.io"]`
			`resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]`
			`resourceNames: ["metallb-webhook-configuration"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["admissionregistration.k8s.io"]`
			`resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]`
			`verbs: ["list", "watch"]`
			`- apiGroups: ["apiextensions.k8s.io"]`
			`resources: ["customresourcedefinitions"]`
			`resourceNames: ["bfdprofiles.metallb.io","bgpadvertisements.metallb.io",`
			`"bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["apiextensions.k8s.io"]`
			`resources: ["customresourcedefinitions"]`
			`verbs: ["list", "watch"]`
			`{{- if .Values.prometheus.secureMetricsPort }}`
			`- apiGroups: ["authentication.k8s.io"]`
			`resources: ["tokenreviews"]`
			`verbs: ["create"]`
			`- apiGroups: ["authorization.k8s.io"]`
			`resources: ["subjectaccessreviews"]`
			`verbs: ["create"]`
			`{{- end }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRole`
			`metadata:`
			`name: {{ template "metallb.fullname" . }}:speaker`
			`labels:`
			`{{- include "metallb.labels" . \| nindent 4 }}`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["services", "endpoints", "nodes", "namespaces"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["discovery.k8s.io"]`
			`resources: ["endpointslices"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: [""]`
			`resources: ["events"]`
			`verbs: ["create", "patch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["servicel2statuses","servicel2statuses/status"]`
			`verbs: ["*"]`
			`{{- if .Values.prometheus.secureMetricsPort }}`
			`- apiGroups: ["authentication.k8s.io"]`
			`resources: ["tokenreviews"]`
			`verbs: ["create"]`
			`- apiGroups: ["authorization.k8s.io"]`
			`resources: ["subjectaccessreviews"]`
			`verbs: ["create"]`
			`{{- end }}`
			`{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}`
			`- apiGroups: ["frrk8s.metallb.io"]`
			`resources: ["frrconfigurations"]`
			`verbs: ["get", "list", "watch","create","update"]`
			`{{- end }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: {{ include "metallb.fullname" . }}-pod-lister`
			`namespace: {{ .Release.Namespace \| quote }}`
			`labels: {{- include "metallb.labels" . \| nindent 4 }}`
			`rules:`
			`- apiGroups: [""]`
			`resources: ["pods"]`
			`verbs: ["list", "get"]`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: [""]`
			`resources: ["configmaps"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["bfdprofiles"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["bgppeers"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["l2advertisements"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["bgpadvertisements"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["ipaddresspools"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["communities"]`
			`verbs: ["get", "list", "watch"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: {{ include "metallb.fullname" . }}-controller`
			`namespace: {{ .Release.Namespace \| quote }}`
			`labels: {{- include "metallb.labels" . \| nindent 4 }}`
			`rules:`
			`{{- if .Values.speaker.memberlist.enabled }}`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["create", "get", "list", "watch"]`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`resourceNames: [{{ include "metallb.secretName" . \| quote }}]`
			`verbs: ["list"]`
			`- apiGroups: ["apps"]`
			`resources: ["deployments"]`
			`resourceNames: ["{{ template "metallb.fullname" . }}-controller"]`
			`verbs: ["get"]`
			`{{- end }}`
			`- apiGroups: [""]`
			`resources: ["secrets"]`
			`verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["ipaddresspools"]`
			`verbs: ["get", "list", "watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["bgppeers"]`
			`verbs: ["get", "list"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["bgpadvertisements"]`
			`verbs: ["get", "list"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["l2advertisements"]`
			`verbs: ["get", "list"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["communities"]`
			`verbs: ["get", "list","watch"]`
			`- apiGroups: ["metallb.io"]`
			`resources: ["bfdprofiles"]`
			`verbs: ["get", "list","watch"]`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: {{ template "metallb.fullname" . }}:controller`
			`labels:`
			`{{- include "metallb.labels" . \| nindent 4 }}`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ template "metallb.controller.serviceAccountName" . }}`
			`namespace: {{ .Release.Namespace }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: {{ template "metallb.fullname" . }}:controller`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: ClusterRoleBinding`
			`metadata:`
			`name: {{ template "metallb.fullname" . }}:speaker`
			`labels:`
			`{{- include "metallb.labels" . \| nindent 4 }}`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ template "metallb.speaker.serviceAccountName" . }}`
			`namespace: {{ .Release.Namespace }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: ClusterRole`
			`name: {{ template "metallb.fullname" . }}:speaker`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: {{ include "metallb.fullname" . }}-pod-lister`
			`namespace: {{ .Release.Namespace \| quote }}`
			`labels: {{- include "metallb.labels" . \| nindent 4 }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: {{ include "metallb.fullname" . }}-pod-lister`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ include "metallb.speaker.serviceAccountName" . }}`
			`---`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: RoleBinding`
			`metadata:`
			`name: {{ include "metallb.fullname" . }}-controller`
			`namespace: {{ .Release.Namespace \| quote }}`
			`labels: {{- include "metallb.labels" . \| nindent 4 }}`
			`roleRef:`
			`apiGroup: rbac.authorization.k8s.io`
			`kind: Role`
			`name: {{ include "metallb.fullname" . }}-controller`
			`subjects:`
			`- kind: ServiceAccount`
			`name: {{ include "metallb.controller.serviceAccountName" . }}`
			`{{- end -}}`