-
Notifications
You must be signed in to change notification settings - Fork 486
/
Copy pathrole.yaml
126 lines (126 loc) · 5.4 KB
/
role.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
{{- if .Values.rbac.role.enabled }}
{{- if .Values.experimental.multiNamespaceMode.enabled }}
kind: ClusterRole
{{- else -}}
kind: Role
{{- end }}
apiVersion: rbac.authorization.k8s.io/v1
metadata:
{{- if .Values.experimental.multiNamespaceMode.enabled }}
name: {{ template "vcluster.clusterRoleNameMultinamespace" . }}
{{- else }}
name: vc-{{ .Release.Name }}
namespace: {{ .Release.Namespace }}
{{- end }}
labels:
app: vcluster
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
{{- if .Values.controlPlane.advanced.globalMetadata.annotations }}
annotations:
{{ toYaml .Values.controlPlane.advanced.globalMetadata.annotations | indent 4 }}
{{- end }}
rules:
{{- if .Values.rbac.role.overwriteRules }}
{{ toYaml .Values.rbac.role.overwriteRules | indent 2 }}
{{- else }}
- apiGroups: [""]
resources: ["configmaps", "secrets", "services", "pods", "pods/attach", "pods/portforward", "pods/exec", "persistentvolumeclaims"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/status", "pods/ephemeralcontainers"]
verbs: ["patch", "update"]
- apiGroups: ["apps"]
resources: ["statefulsets", "replicasets", "deployments"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "events", "pods/log"]
verbs: ["get", "list", "watch"]
{{- if or .Values.sync.toHost.endpoints.enabled .Values.experimental.isolatedControlPlane.headless }}
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["create", "delete", "patch", "update"]
{{- end }}
{{- if gt (int .Values.controlPlane.statefulSet.highAvailability.replicas) 1 }}
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if (and .Values.integrations.metricsServer.enabled .Values.integrations.metricsServer.pods) }}
- apiGroups: ["metrics.k8s.io"]
resources: ["pods"]
verbs: ["get", "list"]
{{- end }}
{{- if .Values.sync.toHost.ingresses.enabled}}
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.networkPolicies.enabled }}
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.volumeSnapshots.enabled }}
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.serviceAccounts.enabled }}
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.sync.toHost.podDisruptionBudgets.enabled }}
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.integrations.kubeVirt.enabled }}
- apiGroups: ["subresources.kubevirt.io"]
resources: ["*"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["pool.kubevirt.io"]
resources: ["virtualmachinepools", "virtualmachinepools/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["clone.kubevirt.io"]
resources: ["virtualmachineclones", "virtualmachineclones/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["cdi.kubevirt.io"]
resources: ["datavolumes", "datavolumes/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
- apiGroups: ["kubevirt.io"]
resources: ["virtualmachines", "virtualmachines/status", "virtualmachineinstances", "virtualmachineinstances/status", "virtualmachineinstancemigrations", "virtualmachineinstancemigrations/status"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.integrations.externalSecrets.enabled }}
{{- if .Values.integrations.externalSecrets.sync.externalSecrets.enabled }}
- apiGroups: ["external-secrets.io"]
resources: ["externalsecrets"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.integrations.externalSecrets.sync.stores.enabled }}
- apiGroups: ["external-secrets.io"]
resources: ["secretstores"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- end }}
{{- if .Values.integrations.certManager.enabled }}
{{- if .Values.integrations.certManager.sync.toHost.certificates.enabled }}
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.integrations.certManager.sync.toHost.issuers.enabled }}
- apiGroups: ["cert-manager.io"]
resources: ["issuers"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- end }}
{{- include "vcluster.customResources.roleExtraRules" . | indent 2 }}
{{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
{{- include "vcluster.generic.roleExtraRules" . | indent 2 }}
{{- include "vcluster.rbac.roleExtraRules" . | indent 2 }}
{{- end }}
{{- end }}