github.com/Azure/aad-pod-identity@v1.8.17/charts/aad-pod-identity/templates/nmi-clusterrole.yaml

github.com/Azure/aad-pod-identity@v1.8.17/charts/aad-pod-identity/templates/nmi-clusterrole.yaml (about)

     1  {{- if .Values.rbac.enabled }}
     2  apiVersion: rbac.authorization.k8s.io/v1
     3  kind: ClusterRole
     4  metadata:
     5    name: {{ template "aad-pod-identity.nmi.fullname" . }}
     6    labels:
     7      {{- include "aad-pod-identity.labels" . | nindent 4 }}
     8      app.kubernetes.io/component: nmi
     9  rules:
    10  - apiGroups: ["apiextensions.k8s.io"]
    11    resources: ["customresourcedefinitions"]
    12    verbs: ["get", "list"]
    13  - apiGroups: [""]
    14    resources: ["pods"]
    15    verbs: ["get", "list", "watch"]
    16  {{- if .Values.rbac.allowAccessToSecrets }}
    17  - apiGroups: [""]
    18    resources: ["secrets"]
    19    verbs: ["get"]
    20  {{- end }}
    21  - apiGroups: ["aadpodidentity.k8s.io"]
    22    resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
    23    verbs: ["get", "list", "watch"]
    24  {{- if eq .Values.operationMode "standard" }}
    25  - apiGroups: ["aadpodidentity.k8s.io"]
    26    resources: ["azureassignedidentities"]
    27    verbs: ["get", "list", "watch"]
    28  {{- end -}}
    29  {{- if .Values.rbac.pspEnabled }}
    30  - apiGroups: ['policy']
    31    resources: ['podsecuritypolicies']
    32    verbs:     ['use']
    33    resourceNames:
    34      - {{ template "aad-pod-identity-psp.nmi.fullname" . }}
    35  {{- end }}
    36  {{- end }}