github.com/GoogleContainerTools/kpt@v1.0.0-beta.50.0.20240520170205-c25345ffcbee/package-examples/cert-manager-basic/cert-manager/clusterrole-cert-manager-controller-challenges.yaml

github.com/GoogleContainerTools/kpt@v1.0.0-beta.50.0.20240520170205-c25345ffcbee/package-examples/cert-manager-basic/cert-manager/clusterrole-cert-manager-controller-challenges.yaml (about)

     1  # Source: cert-manager/templates/rbac.yaml
     2  # Challenges controller role
     3  apiVersion: rbac.authorization.k8s.io/v1
     4  kind: ClusterRole
     5  metadata:
     6    name: cert-manager-controller-challenges
     7    labels:
     8      app: cert-manager
     9      app.kubernetes.io/name: cert-manager
    10      app.kubernetes.io/instance: cert-manager
    11      app.kubernetes.io/component: "controller"
    12      app.kubernetes.io/version: "v1.8.2"
    13  rules:
    14    # Use to update challenge resource status
    15    - apiGroups: ["acme.cert-manager.io"]
    16      resources: ["challenges", "challenges/status"]
    17      verbs: ["update", "patch"]
    18    # Used to watch challenge resources
    19    - apiGroups: ["acme.cert-manager.io"]
    20      resources: ["challenges"]
    21      verbs: ["get", "list", "watch"]
    22    # Used to watch challenges, issuer and clusterissuer resources
    23    - apiGroups: ["cert-manager.io"]
    24      resources: ["issuers", "clusterissuers"]
    25      verbs: ["get", "list", "watch"]
    26    # Need to be able to retrieve ACME account private key to complete challenges
    27    - apiGroups: [""]
    28      resources: ["secrets"]
    29      verbs: ["get", "list", "watch"]
    30    # Used to create events
    31    - apiGroups: [""]
    32      resources: ["events"]
    33      verbs: ["create", "patch"]
    34    # HTTP01 rules
    35    - apiGroups: [""]
    36      resources: ["pods", "services"]
    37      verbs: ["get", "list", "watch", "create", "delete"]
    38    - apiGroups: ["networking.k8s.io"]
    39      resources: ["ingresses"]
    40      verbs: ["get", "list", "watch", "create", "delete", "update"]
    41    - apiGroups: [ "gateway.networking.k8s.io" ]
    42      resources: [ "httproutes" ]
    43      verbs: ["get", "list", "watch", "create", "delete", "update"]
    44    # We require the ability to specify a custom hostname when we are creating
    45    # new ingress resources.
    46    # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
    47    - apiGroups: ["route.openshift.io"]
    48      resources: ["routes/custom-host"]
    49      verbs: ["create"]
    50    # We require these rules to support users with the OwnerReferencesPermissionEnforcement
    51    # admission controller enabled:
    52    # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
    53    - apiGroups: ["acme.cert-manager.io"]
    54      resources: ["challenges/finalizers"]
    55      verbs: ["update"]
    56    # DNS01 rules (duplicated above)
    57    - apiGroups: [""]
    58      resources: ["secrets"]
    59      verbs: ["get", "list", "watch"]
    60