vnfs/DAaaS/deploy/00-init/istio-operator/templates/operator-rbac.yaml

   1 {{- if .Values.rbac.enabled }}
   2 apiVersion: v1
   3 kind: ServiceAccount
   4 metadata:
   5   name: {{ include "istio-operator.fullname" . }}-operator
   6   labels:
   7     app.kubernetes.io/name: {{ include "istio-operator.name" . }}
   8     helm.sh/chart: {{ include "istio-operator.chart" . }}
   9     app.kubernetes.io/instance: {{ .Release.Name }}
  10     app.kubernetes.io/managed-by: {{ .Release.Service }}
  11     app.kubernetes.io/version: {{ .Chart.AppVersion }}
  12     app.kubernetes.io/component: operator
  13 ---
  14 apiVersion: rbac.authorization.k8s.io/v1
  15 kind: ClusterRole
  16 metadata:
  17   name: {{ include "istio-operator.fullname" . }}-operator
  18   labels:
  19     app.kubernetes.io/name: {{ include "istio-operator.name" . }}
  20     helm.sh/chart: {{ include "istio-operator.chart" . }}
  21     app.kubernetes.io/instance: {{ .Release.Name }}
  22     app.kubernetes.io/managed-by: {{ .Release.Service }}
  23     app.kubernetes.io/version: {{ .Chart.AppVersion }}
  24     app.kubernetes.io/component: operator
  25 rules:
  26 - apiGroups:
  27   - ""
  28   resources:
  29   - nodes
  30   - services
  31   - endpoints
  32   - pods
  33   - replicationcontrollers
  34   - services
  35   - endpoints
  36   - pods
  37   verbs:
  38   - get
  39   - list
  40   - watch
  41 - apiGroups:
  42   - ""
  43   resources:
  44   - serviceaccounts
  45   - configmaps
  46   verbs:
  47   - get
  48   - list
  49   - watch
  50   - create
  51   - update
  52   - patch
  53   - delete
  54 - apiGroups:
  55   - ""
  56   resources:
  57   - namespaces
  58   verbs:
  59   - get
  60   - list
  61   - watch
  62   - update
  63   - patch
  64 - apiGroups:
  65   - apps
  66   resources:
  67   - replicasets
  68   verbs:
  69   - get
  70   - list
  71   - watch
  72 - apiGroups:
  73   - apps
  74   resources:
  75   - deployments
  76   - daemonsets
  77   verbs:
  78   - get
  79   - list
  80   - watch
  81   - create
  82   - update
  83   - patch
  84   - delete
  85 - apiGroups:
  86   - apps
  87   resources:
  88   - deployments/status
  89   verbs:
  90   - get
  91   - update
  92   - patch
  93 - apiGroups:
  94   - extensions
  95   resources:
  96   - ingresses
  97   - ingresses/status
  98   verbs:
  99   - '*'
 100 - apiGroups:
 101   - extensions
 102   resources:
 103   - deployments
 104   verbs:
 105   - get
 106 - apiGroups:
 107   - extensions
 108   resources:
 109   - deployments/finalizers
 110   verbs:
 111   - update
 112 - apiGroups:
 113   - extensions
 114   resources:
 115   - replicasets
 116   verbs:
 117   - get
 118   - list
 119   - watch
 120 - apiGroups:
 121   - policy
 122   resources:
 123   - poddisruptionbudgets
 124   verbs:
 125   - get
 126   - list
 127   - watch
 128   - create
 129   - update
 130   - patch
 131   - delete
 132 - apiGroups:
 133   - autoscaling
 134   resources:
 135   - horizontalpodautoscalers
 136   verbs:
 137   - get
 138   - list
 139   - watch
 140   - create
 141   - update
 142   - patch
 143   - delete
 144 - apiGroups:
 145   - apiextensions.k8s.io
 146   resources:
 147   - customresourcedefinitions
 148   verbs:
 149   - '*'
 150 - apiGroups:
 151   - rbac.authorization.k8s.io
 152   resources:
 153   - clusterroles
 154   - clusterrolebindings
 155   - roles
 156   - rolebindings
 157   - ""
 158   verbs:
 159   - get
 160   - list
 161   - watch
 162   - create
 163   - update
 164   - patch
 165   - delete
 166 - apiGroups:
 167   - authentication.k8s.io
 168   resources:
 169   - tokenreviews
 170   verbs:
 171   - create
 172 - apiGroups:
 173   - istio.banzaicloud.io
 174   resources:
 175   - istios
 176   verbs:
 177   - get
 178   - list
 179   - watch
 180   - create
 181   - update
 182   - patch
 183   - delete
 184 - apiGroups:
 185   - istio.banzaicloud.io
 186   resources:
 187   - istios/status
 188   verbs:
 189   - get
 190   - update
 191   - patch
 192 - apiGroups:
 193   - authentication.istio.io
 194   - cloud.istio.io
 195   - config.istio.io
 196   - istio.istio.io
 197   - networking.istio.io
 198   - rbac.istio.io
 199   - scalingpolicy.istio.io
 200   resources:
 201   - '*'
 202   verbs:
 203   - '*'
 204 - apiGroups:
 205   - apps
 206   resources:
 207   - deployments
 208   verbs:
 209   - get
 210   - list
 211   - watch
 212   - create
 213   - update
 214   - patch
 215   - delete
 216 - apiGroups:
 217   - apps
 218   resources:
 219   - deployments/status
 220   verbs:
 221   - get
 222   - update
 223   - patch
 224 - apiGroups:
 225   - istio.banzaicloud.io
 226   resources:
 227   - remoteistios
 228   verbs:
 229   - get
 230   - list
 231   - watch
 232   - create
 233   - update
 234   - patch
 235   - delete
 236 - apiGroups:
 237   - istio.banzaicloud.io
 238   resources:
 239   - remoteistios/status
 240   verbs:
 241   - get
 242   - update
 243   - patch
 244 - apiGroups:
 245   - admissionregistration.k8s.io
 246   resources:
 247   - validatingwebhookconfigurations
 248   verbs:
 249   - get
 250   - list
 251   - watch
 252   - create
 253   - update
 254   - patch
 255   - delete
 256 - apiGroups:
 257   - istio.banzaicloud.io
 258   resources:
 259   - istios
 260   verbs:
 261   - get
 262   - list
 263   - watch
 264 - apiGroups:
 265   - admissionregistration.k8s.io
 266   resources:
 267   - mutatingwebhookconfigurations
 268   - validatingwebhookconfigurations
 269   verbs:
 270   - '*'
 271 - apiGroups:
 272   - ""
 273   resources:
 274   - secrets
 275   verbs:
 276   - get
 277   - list
 278   - watch
 279   - create
 280   - update
 281   - patch
 282   - delete
 283 - apiGroups:
 284   - ""
 285   resources:
 286   - services
 287   verbs:
 288   - get
 289   - list
 290   - watch
 291   - create
 292   - update
 293   - patch
 294   - delete
 295 ---
 296 apiVersion: rbac.authorization.k8s.io/v1
 297 kind: ClusterRoleBinding
 298 metadata:
 299   name: {{ include "istio-operator.fullname" . }}-operator
 300   labels:
 301     app.kubernetes.io/name: {{ include "istio-operator.name" . }}
 302     helm.sh/chart: {{ include "istio-operator.chart" . }}
 303     app.kubernetes.io/instance: {{ .Release.Name }}
 304     app.kubernetes.io/managed-by: {{ .Release.Service }}
 305     app.kubernetes.io/version: {{ .Chart.AppVersion }}
 306     app.kubernetes.io/component: operator
 307 roleRef:
 308   apiGroup: rbac.authorization.k8s.io
 309   kind: ClusterRole
 310   name: {{ include "istio-operator.fullname" . }}-operator
 311 subjects:
 312 - kind: ServiceAccount
 313   name: {{ include "istio-operator.fullname" . }}-operator
 314   namespace: {{ .Release.Namespace }}
 315 {{- end }}