github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/rbac.yaml (about) 1 {{- if .Values.global.rbac.create }} 2 apiVersion: rbac.authorization.k8s.io/v1 3 kind: Role 4 metadata: 5 name: {{ template "cert-manager.fullname" . }}:leaderelection 6 namespace: {{ .Values.global.leaderElection.namespace }} 7 labels: 8 app: {{ include "cert-manager.name" . }} 9 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 10 app.kubernetes.io/instance: {{ .Release.Name }} 11 app.kubernetes.io/component: "controller" 12 {{- include "labels" . | nindent 4 }} 13 rules: 14 - apiGroups: ["coordination.k8s.io"] 15 resources: ["leases"] 16 resourceNames: ["cert-manager-controller"] 17 verbs: ["get", "update", "patch"] 18 - apiGroups: ["coordination.k8s.io"] 19 resources: ["leases"] 20 verbs: ["create"] 21 22 --- 23 24 # grant cert-manager permission to manage the leaderelection configmap in the 25 # leader election namespace 26 apiVersion: rbac.authorization.k8s.io/v1 27 kind: RoleBinding 28 metadata: 29 name: {{ include "cert-manager.fullname" . }}:leaderelection 30 namespace: {{ .Values.global.leaderElection.namespace }} 31 labels: 32 app: {{ include "cert-manager.name" . }} 33 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 34 app.kubernetes.io/instance: {{ .Release.Name }} 35 app.kubernetes.io/component: "controller" 36 {{- include "labels" . | nindent 4 }} 37 roleRef: 38 apiGroup: rbac.authorization.k8s.io 39 kind: Role 40 name: {{ template "cert-manager.fullname" . }}:leaderelection 41 subjects: 42 - apiGroup: "" 43 kind: ServiceAccount 44 name: {{ template "cert-manager.serviceAccountName" . }} 45 namespace: {{ include "cert-manager.namespace" . }} 46 47 --- 48 49 # Issuer controller role 50 apiVersion: rbac.authorization.k8s.io/v1 51 kind: ClusterRole 52 metadata: 53 name: {{ template "cert-manager.fullname" . }}-controller-issuers 54 labels: 55 app: {{ include "cert-manager.name" . }} 56 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 57 app.kubernetes.io/instance: {{ .Release.Name }} 58 app.kubernetes.io/component: "controller" 59 {{- include "labels" . | nindent 4 }} 60 rules: 61 - apiGroups: ["cert-manager.io"] 62 resources: ["issuers", "issuers/status"] 63 verbs: ["update", "patch"] 64 - apiGroups: ["cert-manager.io"] 65 resources: ["issuers"] 66 verbs: ["get", "list", "watch"] 67 - apiGroups: [""] 68 resources: ["secrets"] 69 verbs: ["get", "list", "watch", "create", "update", "delete"] 70 - apiGroups: [""] 71 resources: ["events"] 72 verbs: ["create", "patch"] 73 74 --- 75 76 # ClusterIssuer controller role 77 apiVersion: rbac.authorization.k8s.io/v1 78 kind: ClusterRole 79 metadata: 80 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers 81 labels: 82 app: {{ include "cert-manager.name" . }} 83 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 84 app.kubernetes.io/instance: {{ .Release.Name }} 85 app.kubernetes.io/component: "controller" 86 {{- include "labels" . | nindent 4 }} 87 rules: 88 - apiGroups: ["cert-manager.io"] 89 resources: ["clusterissuers", "clusterissuers/status"] 90 verbs: ["update", "patch"] 91 - apiGroups: ["cert-manager.io"] 92 resources: ["clusterissuers"] 93 verbs: ["get", "list", "watch"] 94 - apiGroups: [""] 95 resources: ["secrets"] 96 verbs: ["get", "list", "watch", "create", "update", "delete"] 97 - apiGroups: [""] 98 resources: ["events"] 99 verbs: ["create", "patch"] 100 101 --- 102 103 # Certificates controller role 104 apiVersion: rbac.authorization.k8s.io/v1 105 kind: ClusterRole 106 metadata: 107 name: {{ template "cert-manager.fullname" . }}-controller-certificates 108 labels: 109 app: {{ include "cert-manager.name" . }} 110 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 111 app.kubernetes.io/instance: {{ .Release.Name }} 112 app.kubernetes.io/component: "controller" 113 {{- include "labels" . | nindent 4 }} 114 rules: 115 - apiGroups: ["cert-manager.io"] 116 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] 117 verbs: ["update", "patch"] 118 - apiGroups: ["cert-manager.io"] 119 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] 120 verbs: ["get", "list", "watch"] 121 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 122 # admission controller enabled: 123 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 124 - apiGroups: ["cert-manager.io"] 125 resources: ["certificates/finalizers", "certificaterequests/finalizers"] 126 verbs: ["update"] 127 - apiGroups: ["acme.cert-manager.io"] 128 resources: ["orders"] 129 verbs: ["create", "delete", "get", "list", "watch"] 130 - apiGroups: [""] 131 resources: ["secrets"] 132 verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] 133 - apiGroups: [""] 134 resources: ["events"] 135 verbs: ["create", "patch"] 136 137 --- 138 139 # Orders controller role 140 apiVersion: rbac.authorization.k8s.io/v1 141 kind: ClusterRole 142 metadata: 143 name: {{ template "cert-manager.fullname" . }}-controller-orders 144 labels: 145 app: {{ include "cert-manager.name" . }} 146 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 147 app.kubernetes.io/instance: {{ .Release.Name }} 148 app.kubernetes.io/component: "controller" 149 {{- include "labels" . | nindent 4 }} 150 rules: 151 - apiGroups: ["acme.cert-manager.io"] 152 resources: ["orders", "orders/status"] 153 verbs: ["update", "patch"] 154 - apiGroups: ["acme.cert-manager.io"] 155 resources: ["orders", "challenges"] 156 verbs: ["get", "list", "watch"] 157 - apiGroups: ["cert-manager.io"] 158 resources: ["clusterissuers", "issuers"] 159 verbs: ["get", "list", "watch"] 160 - apiGroups: ["acme.cert-manager.io"] 161 resources: ["challenges"] 162 verbs: ["create", "delete"] 163 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 164 # admission controller enabled: 165 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 166 - apiGroups: ["acme.cert-manager.io"] 167 resources: ["orders/finalizers"] 168 verbs: ["update"] 169 - apiGroups: [""] 170 resources: ["secrets"] 171 verbs: ["get", "list", "watch"] 172 - apiGroups: [""] 173 resources: ["events"] 174 verbs: ["create", "patch"] 175 176 --- 177 178 # Challenges controller role 179 apiVersion: rbac.authorization.k8s.io/v1 180 kind: ClusterRole 181 metadata: 182 name: {{ template "cert-manager.fullname" . }}-controller-challenges 183 labels: 184 app: {{ include "cert-manager.name" . }} 185 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 186 app.kubernetes.io/instance: {{ .Release.Name }} 187 app.kubernetes.io/component: "controller" 188 {{- include "labels" . | nindent 4 }} 189 rules: 190 # Use to update challenge resource status 191 - apiGroups: ["acme.cert-manager.io"] 192 resources: ["challenges", "challenges/status"] 193 verbs: ["update", "patch"] 194 # Used to watch challenge resources 195 - apiGroups: ["acme.cert-manager.io"] 196 resources: ["challenges"] 197 verbs: ["get", "list", "watch"] 198 # Used to watch challenges, issuer and clusterissuer resources 199 - apiGroups: ["cert-manager.io"] 200 resources: ["issuers", "clusterissuers"] 201 verbs: ["get", "list", "watch"] 202 # Need to be able to retrieve ACME account private key to complete challenges 203 - apiGroups: [""] 204 resources: ["secrets"] 205 verbs: ["get", "list", "watch"] 206 # Used to create events 207 - apiGroups: [""] 208 resources: ["events"] 209 verbs: ["create", "patch"] 210 # HTTP01 rules 211 - apiGroups: [""] 212 resources: ["pods", "services"] 213 verbs: ["get", "list", "watch", "create", "delete"] 214 - apiGroups: ["networking.k8s.io"] 215 resources: ["ingresses"] 216 verbs: ["get", "list", "watch", "create", "delete", "update"] 217 - apiGroups: [ "gateway.networking.k8s.io" ] 218 resources: [ "httproutes" ] 219 verbs: ["get", "list", "watch", "create", "delete", "update"] 220 # We require the ability to specify a custom hostname when we are creating 221 # new ingress resources. 222 # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 223 - apiGroups: ["route.openshift.io"] 224 resources: ["routes/custom-host"] 225 verbs: ["create"] 226 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 227 # admission controller enabled: 228 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 229 - apiGroups: ["acme.cert-manager.io"] 230 resources: ["challenges/finalizers"] 231 verbs: ["update"] 232 # DNS01 rules (duplicated above) 233 - apiGroups: [""] 234 resources: ["secrets"] 235 verbs: ["get", "list", "watch"] 236 237 --- 238 239 # ingress-shim controller role 240 apiVersion: rbac.authorization.k8s.io/v1 241 kind: ClusterRole 242 metadata: 243 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim 244 labels: 245 app: {{ include "cert-manager.name" . }} 246 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 247 app.kubernetes.io/instance: {{ .Release.Name }} 248 app.kubernetes.io/component: "controller" 249 {{- include "labels" . | nindent 4 }} 250 rules: 251 - apiGroups: ["cert-manager.io"] 252 resources: ["certificates", "certificaterequests"] 253 verbs: ["create", "update", "delete"] 254 - apiGroups: ["cert-manager.io"] 255 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] 256 verbs: ["get", "list", "watch"] 257 - apiGroups: ["networking.k8s.io"] 258 resources: ["ingresses"] 259 verbs: ["get", "list", "watch"] 260 # We require these rules to support users with the OwnerReferencesPermissionEnforcement 261 # admission controller enabled: 262 # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement 263 - apiGroups: ["networking.k8s.io"] 264 resources: ["ingresses/finalizers"] 265 verbs: ["update"] 266 - apiGroups: ["gateway.networking.k8s.io"] 267 resources: ["gateways", "httproutes"] 268 verbs: ["get", "list", "watch"] 269 - apiGroups: ["gateway.networking.k8s.io"] 270 resources: ["gateways/finalizers", "httproutes/finalizers"] 271 verbs: ["update"] 272 - apiGroups: [""] 273 resources: ["events"] 274 verbs: ["create", "patch"] 275 276 --- 277 278 apiVersion: rbac.authorization.k8s.io/v1 279 kind: ClusterRoleBinding 280 metadata: 281 name: {{ template "cert-manager.fullname" . }}-controller-issuers 282 labels: 283 app: {{ include "cert-manager.name" . }} 284 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 285 app.kubernetes.io/instance: {{ .Release.Name }} 286 app.kubernetes.io/component: "controller" 287 {{- include "labels" . | nindent 4 }} 288 roleRef: 289 apiGroup: rbac.authorization.k8s.io 290 kind: ClusterRole 291 name: {{ template "cert-manager.fullname" . }}-controller-issuers 292 subjects: 293 - name: {{ template "cert-manager.serviceAccountName" . }} 294 namespace: {{ include "cert-manager.namespace" . }} 295 kind: ServiceAccount 296 297 --- 298 299 apiVersion: rbac.authorization.k8s.io/v1 300 kind: ClusterRoleBinding 301 metadata: 302 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers 303 labels: 304 app: {{ include "cert-manager.name" . }} 305 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 306 app.kubernetes.io/instance: {{ .Release.Name }} 307 app.kubernetes.io/component: "controller" 308 {{- include "labels" . | nindent 4 }} 309 roleRef: 310 apiGroup: rbac.authorization.k8s.io 311 kind: ClusterRole 312 name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers 313 subjects: 314 - name: {{ template "cert-manager.serviceAccountName" . }} 315 namespace: {{ include "cert-manager.namespace" . }} 316 kind: ServiceAccount 317 318 --- 319 320 apiVersion: rbac.authorization.k8s.io/v1 321 kind: ClusterRoleBinding 322 metadata: 323 name: {{ template "cert-manager.fullname" . }}-controller-certificates 324 labels: 325 app: {{ include "cert-manager.name" . }} 326 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 327 app.kubernetes.io/instance: {{ .Release.Name }} 328 app.kubernetes.io/component: "controller" 329 {{- include "labels" . | nindent 4 }} 330 roleRef: 331 apiGroup: rbac.authorization.k8s.io 332 kind: ClusterRole 333 name: {{ template "cert-manager.fullname" . }}-controller-certificates 334 subjects: 335 - name: {{ template "cert-manager.serviceAccountName" . }} 336 namespace: {{ include "cert-manager.namespace" . }} 337 kind: ServiceAccount 338 339 --- 340 341 apiVersion: rbac.authorization.k8s.io/v1 342 kind: ClusterRoleBinding 343 metadata: 344 name: {{ template "cert-manager.fullname" . }}-controller-orders 345 labels: 346 app: {{ include "cert-manager.name" . }} 347 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 348 app.kubernetes.io/instance: {{ .Release.Name }} 349 app.kubernetes.io/component: "controller" 350 {{- include "labels" . | nindent 4 }} 351 roleRef: 352 apiGroup: rbac.authorization.k8s.io 353 kind: ClusterRole 354 name: {{ template "cert-manager.fullname" . }}-controller-orders 355 subjects: 356 - name: {{ template "cert-manager.serviceAccountName" . }} 357 namespace: {{ include "cert-manager.namespace" . }} 358 kind: ServiceAccount 359 360 --- 361 362 apiVersion: rbac.authorization.k8s.io/v1 363 kind: ClusterRoleBinding 364 metadata: 365 name: {{ template "cert-manager.fullname" . }}-controller-challenges 366 labels: 367 app: {{ include "cert-manager.name" . }} 368 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 369 app.kubernetes.io/instance: {{ .Release.Name }} 370 app.kubernetes.io/component: "controller" 371 {{- include "labels" . | nindent 4 }} 372 roleRef: 373 apiGroup: rbac.authorization.k8s.io 374 kind: ClusterRole 375 name: {{ template "cert-manager.fullname" . }}-controller-challenges 376 subjects: 377 - name: {{ template "cert-manager.serviceAccountName" . }} 378 namespace: {{ include "cert-manager.namespace" . }} 379 kind: ServiceAccount 380 381 --- 382 383 apiVersion: rbac.authorization.k8s.io/v1 384 kind: ClusterRoleBinding 385 metadata: 386 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim 387 labels: 388 app: {{ include "cert-manager.name" . }} 389 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 390 app.kubernetes.io/instance: {{ .Release.Name }} 391 app.kubernetes.io/component: "controller" 392 {{- include "labels" . | nindent 4 }} 393 roleRef: 394 apiGroup: rbac.authorization.k8s.io 395 kind: ClusterRole 396 name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim 397 subjects: 398 - name: {{ template "cert-manager.serviceAccountName" . }} 399 namespace: {{ include "cert-manager.namespace" . }} 400 kind: ServiceAccount 401 402 --- 403 404 apiVersion: rbac.authorization.k8s.io/v1 405 kind: ClusterRole 406 metadata: 407 name: {{ template "cert-manager.fullname" . }}-view 408 labels: 409 app: {{ include "cert-manager.name" . }} 410 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 411 app.kubernetes.io/instance: {{ .Release.Name }} 412 app.kubernetes.io/component: "controller" 413 {{- include "labels" . | nindent 4 }} 414 {{- if .Values.global.rbac.aggregateClusterRoles }} 415 rbac.authorization.k8s.io/aggregate-to-view: "true" 416 rbac.authorization.k8s.io/aggregate-to-edit: "true" 417 rbac.authorization.k8s.io/aggregate-to-admin: "true" 418 {{- end }} 419 rules: 420 - apiGroups: ["cert-manager.io"] 421 resources: ["certificates", "certificaterequests", "issuers"] 422 verbs: ["get", "list", "watch"] 423 - apiGroups: ["acme.cert-manager.io"] 424 resources: ["challenges", "orders"] 425 verbs: ["get", "list", "watch"] 426 427 428 --- 429 430 apiVersion: rbac.authorization.k8s.io/v1 431 kind: ClusterRole 432 metadata: 433 name: {{ template "cert-manager.fullname" . }}-edit 434 labels: 435 app: {{ include "cert-manager.name" . }} 436 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 437 app.kubernetes.io/instance: {{ .Release.Name }} 438 app.kubernetes.io/component: "controller" 439 {{- include "labels" . | nindent 4 }} 440 {{- if .Values.global.rbac.aggregateClusterRoles }} 441 rbac.authorization.k8s.io/aggregate-to-edit: "true" 442 rbac.authorization.k8s.io/aggregate-to-admin: "true" 443 {{- end }} 444 rules: 445 - apiGroups: ["cert-manager.io"] 446 resources: ["certificates", "certificaterequests", "issuers"] 447 verbs: ["create", "delete", "deletecollection", "patch", "update"] 448 - apiGroups: ["cert-manager.io"] 449 resources: ["certificates/status"] 450 verbs: ["update"] 451 - apiGroups: ["acme.cert-manager.io"] 452 resources: ["challenges", "orders"] 453 verbs: ["create", "delete", "deletecollection", "patch", "update"] 454 455 --- 456 457 # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers 458 apiVersion: rbac.authorization.k8s.io/v1 459 kind: ClusterRole 460 metadata: 461 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io 462 labels: 463 app: {{ include "cert-manager.name" . }} 464 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 465 app.kubernetes.io/instance: {{ .Release.Name }} 466 app.kubernetes.io/component: "cert-manager" 467 {{- include "labels" . | nindent 4 }} 468 rules: 469 - apiGroups: ["cert-manager.io"] 470 resources: ["signers"] 471 verbs: ["approve"] 472 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 473 474 --- 475 476 apiVersion: rbac.authorization.k8s.io/v1 477 kind: ClusterRoleBinding 478 metadata: 479 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io 480 labels: 481 app: {{ include "cert-manager.name" . }} 482 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 483 app.kubernetes.io/instance: {{ .Release.Name }} 484 app.kubernetes.io/component: "cert-manager" 485 {{- include "labels" . | nindent 4 }} 486 roleRef: 487 apiGroup: rbac.authorization.k8s.io 488 kind: ClusterRole 489 name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io 490 subjects: 491 - name: {{ template "cert-manager.serviceAccountName" . }} 492 namespace: {{ include "cert-manager.namespace" . }} 493 kind: ServiceAccount 494 495 --- 496 497 # Permission to: 498 # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers 499 # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers 500 apiVersion: rbac.authorization.k8s.io/v1 501 kind: ClusterRole 502 metadata: 503 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests 504 labels: 505 app: {{ include "cert-manager.name" . }} 506 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 507 app.kubernetes.io/instance: {{ .Release.Name }} 508 app.kubernetes.io/component: "cert-manager" 509 {{- include "labels" . | nindent 4 }} 510 rules: 511 - apiGroups: ["certificates.k8s.io"] 512 resources: ["certificatesigningrequests"] 513 verbs: ["get", "list", "watch", "update"] 514 - apiGroups: ["certificates.k8s.io"] 515 resources: ["certificatesigningrequests/status"] 516 verbs: ["update", "patch"] 517 - apiGroups: ["certificates.k8s.io"] 518 resources: ["signers"] 519 resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] 520 verbs: ["sign"] 521 - apiGroups: ["authorization.k8s.io"] 522 resources: ["subjectaccessreviews"] 523 verbs: ["create"] 524 525 --- 526 527 apiVersion: rbac.authorization.k8s.io/v1 528 kind: ClusterRoleBinding 529 metadata: 530 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests 531 labels: 532 app: {{ include "cert-manager.name" . }} 533 app.kubernetes.io/name: {{ include "cert-manager.name" . }} 534 app.kubernetes.io/instance: {{ .Release.Name }} 535 app.kubernetes.io/component: "cert-manager" 536 {{- include "labels" . | nindent 4 }} 537 roleRef: 538 apiGroup: rbac.authorization.k8s.io 539 kind: ClusterRole 540 name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests 541 subjects: 542 - name: {{ template "cert-manager.serviceAccountName" . }} 543 namespace: {{ include "cert-manager.namespace" . }} 544 kind: ServiceAccount 545 {{- end }}