github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/cainjector-rbac.yaml (about) 1 {{- if .Values.cainjector.enabled }} 2 {{- if .Values.global.rbac.create }} 3 apiVersion: rbac.authorization.k8s.io/v1 4 kind: ClusterRole 5 metadata: 6 name: {{ template "cainjector.fullname" . }} 7 labels: 8 app: {{ include "cainjector.name" . }} 9 app.kubernetes.io/name: {{ include "cainjector.name" . }} 10 app.kubernetes.io/instance: {{ .Release.Name }} 11 app.kubernetes.io/component: "cainjector" 12 {{- include "labels" . | nindent 4 }} 13 rules: 14 - apiGroups: ["cert-manager.io"] 15 resources: ["certificates"] 16 verbs: ["get", "list", "watch"] 17 - apiGroups: [""] 18 resources: ["secrets"] 19 verbs: ["get", "list", "watch"] 20 - apiGroups: [""] 21 resources: ["events"] 22 verbs: ["get", "create", "update", "patch"] 23 - apiGroups: ["admissionregistration.k8s.io"] 24 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] 25 verbs: ["get", "list", "watch", "update"] 26 - apiGroups: ["apiregistration.k8s.io"] 27 resources: ["apiservices"] 28 verbs: ["get", "list", "watch", "update"] 29 - apiGroups: ["apiextensions.k8s.io"] 30 resources: ["customresourcedefinitions"] 31 verbs: ["get", "list", "watch", "update"] 32 --- 33 apiVersion: rbac.authorization.k8s.io/v1 34 kind: ClusterRoleBinding 35 metadata: 36 name: {{ template "cainjector.fullname" . }} 37 labels: 38 app: {{ include "cainjector.name" . }} 39 app.kubernetes.io/name: {{ include "cainjector.name" . }} 40 app.kubernetes.io/instance: {{ .Release.Name }} 41 app.kubernetes.io/component: "cainjector" 42 {{- include "labels" . | nindent 4 }} 43 roleRef: 44 apiGroup: rbac.authorization.k8s.io 45 kind: ClusterRole 46 name: {{ template "cainjector.fullname" . }} 47 subjects: 48 - name: {{ template "cainjector.serviceAccountName" . }} 49 namespace: {{ include "cert-manager.namespace" . }} 50 kind: ServiceAccount 51 52 --- 53 # leader election rules 54 apiVersion: rbac.authorization.k8s.io/v1 55 kind: Role 56 metadata: 57 name: {{ template "cainjector.fullname" . }}:leaderelection 58 namespace: {{ .Values.global.leaderElection.namespace }} 59 labels: 60 app: {{ include "cainjector.name" . }} 61 app.kubernetes.io/name: {{ include "cainjector.name" . }} 62 app.kubernetes.io/instance: {{ .Release.Name }} 63 app.kubernetes.io/component: "cainjector" 64 {{- include "labels" . | nindent 4 }} 65 rules: 66 # Used for leader election by the controller 67 # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller 68 # see cmd/cainjector/start.go#L113 69 # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller 70 # see cmd/cainjector/start.go#L137 71 - apiGroups: ["coordination.k8s.io"] 72 resources: ["leases"] 73 resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"] 74 verbs: ["get", "update", "patch"] 75 - apiGroups: ["coordination.k8s.io"] 76 resources: ["leases"] 77 verbs: ["create"] 78 79 --- 80 81 # grant cert-manager permission to manage the leaderelection configmap in the 82 # leader election namespace 83 apiVersion: rbac.authorization.k8s.io/v1 84 kind: RoleBinding 85 metadata: 86 name: {{ include "cainjector.fullname" . }}:leaderelection 87 namespace: {{ .Values.global.leaderElection.namespace }} 88 labels: 89 app: {{ include "cainjector.name" . }} 90 app.kubernetes.io/name: {{ include "cainjector.name" . }} 91 app.kubernetes.io/instance: {{ .Release.Name }} 92 app.kubernetes.io/component: "cainjector" 93 {{- include "labels" . | nindent 4 }} 94 roleRef: 95 apiGroup: rbac.authorization.k8s.io 96 kind: Role 97 name: {{ template "cainjector.fullname" . }}:leaderelection 98 subjects: 99 - kind: ServiceAccount 100 name: {{ template "cainjector.serviceAccountName" . }} 101 namespace: {{ include "cert-manager.namespace" . }} 102 {{- end }} 103 {{- end }}