github.com/Azure/aad-pod-identity@v1.8.17/charts/aad-pod-identity/templates/user-facing-clusterroles.yaml

github.com/Azure/aad-pod-identity@v1.8.17/charts/aad-pod-identity/templates/user-facing-clusterroles.yaml (about)

     1  {{- if and (.Values.rbac.enabled) (.Values.rbac.createUserFacingClusterRoles) }}
     2  apiVersion: rbac.authorization.k8s.io/v1
     3  kind: ClusterRole
     4  metadata:
     5    name: {{ template "aad-pod-identity.fullname" . }}-view
     6    labels:
     7      {{- include "aad-pod-identity.labels" . | nindent 4 }}
     8      rbac.authorization.k8s.io/aggregate-to-view: "true"
     9      rbac.authorization.k8s.io/aggregate-to-edit: "true"
    10      rbac.authorization.k8s.io/aggregate-to-admin: "true"
    11  rules:
    12    - apiGroups: ["aadpodidentity.k8s.io"]
    13      resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
    14      verbs: ["get", "list", "watch"]
    15  {{- if eq .Values.operationMode "standard" }}
    16    - apiGroups: ["aadpodidentity.k8s.io"]
    17      resources: ["azureassignedidentities"]
    18      verbs: ["get", "list", "watch"]
    19  {{- end }}
    20  ---
    21  apiVersion: rbac.authorization.k8s.io/v1
    22  kind: ClusterRole
    23  metadata:
    24    name: {{ template "aad-pod-identity.fullname" . }}-edit
    25    labels:
    26      {{- include "aad-pod-identity.labels" . | nindent 4 }}
    27      rbac.authorization.k8s.io/aggregate-to-edit: "true"
    28      rbac.authorization.k8s.io/aggregate-to-admin: "true"
    29  rules:
    30    - apiGroups: ["aadpodidentity.k8s.io"]
    31      resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"]
    32      verbs: ["create", "delete", "deletecollection", "patch", "update"]
    33  {{- end }}