Factory/metallb-chart/templates/rbac.yaml

213 lines
6.5 KiB
YAML

{{- if .Values.rbac.create -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "metallb.fullname" . }}:controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["services", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list"]
- apiGroups: [""]
resources: ["services/status"]
verbs: ["update"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
resourceNames: ["metallb-webhook-configuration"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
verbs: ["list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
resourceNames: ["bfdprofiles.metallb.io","bgpadvertisements.metallb.io",
"bgppeers.metallb.io","ipaddresspools.metallb.io","l2advertisements.metallb.io","communities.metallb.io"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "watch"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "metallb.fullname" . }}:speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["services", "endpoints", "nodes", "namespaces"]
verbs: ["get", "list", "watch"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch"]
- apiGroups: ["metallb.io"]
resources: ["servicel2statuses","servicel2statuses/status"]
verbs: ["*"]
{{- if .Values.prometheus.secureMetricsPort }}
- apiGroups: ["authentication.k8s.io"]
resources: ["tokenreviews"]
verbs: ["create"]
- apiGroups: ["authorization.k8s.io"]
resources: ["subjectaccessreviews"]
verbs: ["create"]
{{- end }}
{{- if or .Values.frrk8s.enabled .Values.frrk8s.external }}
- apiGroups: ["frrk8s.metallb.io"]
resources: ["frrconfigurations"]
verbs: ["get", "list", "watch","create","update"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "metallb.fullname" . }}-pod-lister
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["list", "get"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bfdprofiles"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgppeers"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["l2advertisements"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgpadvertisements"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["ipaddresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["communities"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "metallb.fullname" . }}-controller
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
rules:
{{- if .Values.speaker.memberlist.enabled }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: [{{ include "metallb.secretName" . | quote }}]
verbs: ["list"]
- apiGroups: ["apps"]
resources: ["deployments"]
resourceNames: ["{{ template "metallb.fullname" . }}-controller"]
verbs: ["get"]
{{- end }}
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metallb.io"]
resources: ["ipaddresspools"]
verbs: ["get", "list", "watch"]
- apiGroups: ["metallb.io"]
resources: ["bgppeers"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["bgpadvertisements"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["l2advertisements"]
verbs: ["get", "list"]
- apiGroups: ["metallb.io"]
resources: ["communities"]
verbs: ["get", "list","watch"]
- apiGroups: ["metallb.io"]
resources: ["bfdprofiles"]
verbs: ["get", "list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "metallb.fullname" . }}:controller
labels:
{{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "metallb.controller.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "metallb.fullname" . }}:controller
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "metallb.fullname" . }}:speaker
labels:
{{- include "metallb.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "metallb.speaker.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "metallb.fullname" . }}:speaker
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "metallb.fullname" . }}-pod-lister
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "metallb.fullname" . }}-pod-lister
subjects:
- kind: ServiceAccount
name: {{ include "metallb.speaker.serviceAccountName" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "metallb.fullname" . }}-controller
namespace: {{ .Release.Namespace | quote }}
labels: {{- include "metallb.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "metallb.fullname" . }}-controller
subjects:
- kind: ServiceAccount
name: {{ include "metallb.controller.serviceAccountName" . }}
{{- end -}}