github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/templates/webhook-rbac.yaml (about)

     1  {{- if .Values.global.rbac.create }}
     2  apiVersion: rbac.authorization.k8s.io/v1
     3  kind: Role
     4  metadata:
     5    name: {{ template "webhook.fullname" . }}:dynamic-serving
     6    namespace: {{ include "cert-manager.namespace" . }}
     7    labels:
     8      app: {{ include "webhook.name" . }}
     9      app.kubernetes.io/name: {{ include "webhook.name" . }}
    10      app.kubernetes.io/instance: {{ .Release.Name }}
    11      app.kubernetes.io/component: "webhook"
    12      {{- include "labels" . | nindent 4 }}
    13  rules:
    14  - apiGroups: [""]
    15    resources: ["secrets"]
    16    resourceNames:
    17    - '{{ template "webhook.fullname" . }}-ca'
    18    verbs: ["get", "list", "watch", "update"]
    19  # It's not possible to grant CREATE permission on a single resourceName.
    20  - apiGroups: [""]
    21    resources: ["secrets"]
    22    verbs: ["create"]
    23  ---
    24  
    25  apiVersion: rbac.authorization.k8s.io/v1
    26  kind: RoleBinding
    27  metadata:
    28    name: {{ template "webhook.fullname" . }}:dynamic-serving
    29    namespace: {{ include "cert-manager.namespace" . }}
    30    labels:
    31      app: {{ include "webhook.name" . }}
    32      app.kubernetes.io/name: {{ include "webhook.name" . }}
    33      app.kubernetes.io/instance: {{ .Release.Name }}
    34      app.kubernetes.io/component: "webhook"
    35      {{- include "labels" . | nindent 4 }}
    36  roleRef:
    37    apiGroup: rbac.authorization.k8s.io
    38    kind: Role
    39    name: {{ template "webhook.fullname" . }}:dynamic-serving
    40  subjects:
    41  - apiGroup: ""
    42    kind: ServiceAccount
    43    name: {{ template "webhook.serviceAccountName" . }}
    44    namespace: {{ include "cert-manager.namespace" . }}
    45  
    46  ---
    47  
    48  apiVersion: rbac.authorization.k8s.io/v1
    49  kind: ClusterRole
    50  metadata:
    51    name: {{ template "webhook.fullname" . }}:subjectaccessreviews
    52    labels:
    53      app: {{ include "webhook.name" . }}
    54      app.kubernetes.io/name: {{ include "webhook.name" . }}
    55      app.kubernetes.io/instance: {{ .Release.Name }}
    56      app.kubernetes.io/component: "webhook"
    57      {{- include "labels" . | nindent 4 }}
    58  rules:
    59  - apiGroups: ["authorization.k8s.io"]
    60    resources: ["subjectaccessreviews"]
    61    verbs: ["create"]
    62  ---
    63  
    64  apiVersion: rbac.authorization.k8s.io/v1
    65  kind: ClusterRoleBinding
    66  metadata:
    67    name: {{ template "webhook.fullname" . }}:subjectaccessreviews
    68    labels:
    69      app: {{ include "webhook.name" . }}
    70      app.kubernetes.io/name: {{ include "webhook.name" . }}
    71      app.kubernetes.io/instance: {{ .Release.Name }}
    72      app.kubernetes.io/component: "webhook"
    73      {{- include "labels" . | nindent 4 }}
    74  roleRef:
    75    apiGroup: rbac.authorization.k8s.io
    76    kind: ClusterRole
    77    name: {{ template "webhook.fullname" . }}:subjectaccessreviews
    78  subjects:
    79  - apiGroup: ""
    80    kind: ServiceAccount
    81    name: {{ template "webhook.serviceAccountName" . }}
    82    namespace: {{ include "cert-manager.namespace" . }}
    83  {{- end }}