github.com/verrazzano/verrazzano@v1.7.0/platform-operator/helm_config/charts/verrazzano-monitoring-operator/templates/clusterrole.yaml (about) 1 # Copyright (c) 2022, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 4 apiVersion: rbac.authorization.k8s.io/v1 5 kind: ClusterRole 6 metadata: 7 labels: 8 k8s-app: {{ .Values.monitoringOperator.name }} 9 name: {{ .Values.monitoringOperator.name }}-cluster-role 10 rules: 11 - apiGroups: 12 - "" 13 resources: 14 - nodes 15 - nodes/proxy 16 - persistentvolumeclaims 17 - services 18 - configmaps 19 - secrets 20 - namespaces 21 - endpoints 22 - pods 23 - serviceaccounts 24 verbs: 25 - get 26 - list 27 - watch 28 - update 29 - create 30 - delete 31 - apiGroups: 32 - "" 33 resources: 34 - events 35 verbs: 36 - get 37 - list 38 - watch 39 - create 40 - patch 41 # Following rule required to allow operator to grant API "create" verb on "pods/exec" 42 - apiGroups: 43 - "" 44 resources: 45 - pods/exec 46 verbs: 47 - create 48 # Following rule required to allow operator to grant API "get" verb on "pods/log" 49 - apiGroups: 50 - "" 51 resources: 52 - pods/log 53 verbs: 54 - get 55 - apiGroups: 56 - apps 57 resources: 58 - deployments 59 - statefulsets 60 verbs: 61 - create 62 - delete 63 - get 64 - list 65 - update 66 - watch 67 - patch 68 - apiGroups: 69 - batch 70 resources: 71 - jobs 72 - cronjobs 73 verbs: 74 - create 75 - delete 76 - get 77 - list 78 - patch 79 - update 80 - watch 81 - apiGroups: 82 - extensions 83 resources: 84 - jobs 85 verbs: 86 - create 87 - delete 88 - get 89 - list 90 - update 91 - watch 92 - apiGroups: 93 - networking.k8s.io 94 resources: 95 - ingresses 96 verbs: 97 - create 98 - delete 99 - get 100 - list 101 - update 102 - watch 103 - apiGroups: 104 - apiextensions.k8s.io 105 resources: 106 - customresourcedefinitions 107 verbs: 108 - create 109 - delete 110 - get 111 - list 112 - watch 113 - apiGroups: 114 - rbac.authorization.k8s.io 115 resources: 116 - rolebindings 117 - clusterrolebindings 118 verbs: 119 - create 120 - delete 121 - get 122 - list 123 - update 124 - watch 125 - apiGroups: 126 - rbac.authorization.k8s.io 127 resources: 128 - clusterroles 129 - roles 130 verbs: 131 - get 132 - list 133 - watch 134 - apiGroups: 135 - storage.k8s.io 136 resources: 137 - storageclasses 138 verbs: 139 - get 140 - list 141 - watch 142 - apiGroups: 143 - verrazzano.io 144 resources: 145 - verrazzanomonitoringinstances 146 verbs: 147 - get 148 - list 149 - update 150 - watch 151 - apiGroups: 152 - velero.io 153 resources: 154 - '*' 155 verbs: 156 - get 157 - list 158 - watch 159 - apiGroups: 160 - v1 161 resources: 162 - secrets 163 verbs: 164 - get 165 - list 166 - watch 167 - nonResourceURLs: ["/metrics"] 168 verbs: ["get"] 169 --- 170 apiVersion: rbac.authorization.k8s.io/v1 171 kind: ClusterRole 172 metadata: 173 name: vmi-cluster-role-default 174 rules: 175 - apiGroups: 176 - "" 177 resources: 178 - configmaps 179 - secrets 180 verbs: 181 - get 182 - list 183 - watch 184 - update 185 - create 186 - delete 187 - apiGroups: 188 - "" 189 resources: 190 - pods 191 verbs: 192 - get 193 - list 194 - watch 195 - delete 196 # Following rule required to grant Cirith "create" verb on "pods/exec" 197 - apiGroups: 198 - "" 199 resources: 200 - pods/exec 201 verbs: 202 - create 203 - apiGroups: 204 - "" 205 resources: 206 - pods/log 207 verbs: 208 - get 209 - apiGroups: 210 - "batch" 211 - "extensions" 212 resources: 213 - jobs 214 verbs: 215 - get 216 - list 217 - watch 218 - update 219 - create 220 - delete 221 - apiGroups: 222 - verrazzano.io 223 resources: 224 - verrazzanomonitoringinstances 225 verbs: 226 - get 227 - list 228 - watch 229 - update 230 --- 231 apiVersion: rbac.authorization.k8s.io/v1 232 kind: ClusterRole 233 metadata: 234 name: {{ .Values.monitoringOperator.name }}-get-nodes 235 rules: 236 - apiGroups: 237 - "" 238 resources: 239 - nodes 240 verbs: 241 - list