github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/coherence-operator/templates/rbac.yaml (about) 1 # ------------------------------------------------------------- 2 # This is the service account used by the Coherence Operator. 3 # ------------------------------------------------------------- 4 apiVersion: v1 5 kind: ServiceAccount 6 metadata: 7 name: {{ default "coherence-operator" .Values.serviceAccountName }} 8 namespace: {{ .Release.Namespace }} 9 labels: 10 control-plane: coherence 11 --- 12 {{- if .Values.clusterRoles }} 13 # ------------------------------------------------------------- 14 # This is the Cluster Roles required by the Coherence Operator 15 # to self-manage its CRDs and Web-Hooks. 16 # ------------------------------------------------------------- 17 apiVersion: rbac.authorization.k8s.io/v1 18 kind: ClusterRole 19 metadata: 20 name: coherence-operator-crd-webhook-install 21 namespace: {{ .Release.Namespace }} 22 labels: 23 control-plane: coherence 24 rules: 25 - apiGroups: 26 - apiextensions.k8s.io 27 resources: 28 - customresourcedefinitions 29 verbs: 30 - create 31 - delete 32 - get 33 - update 34 - apiGroups: 35 - admissionregistration.k8s.io 36 resources: 37 - mutatingwebhookconfigurations 38 - validatingwebhookconfigurations 39 verbs: 40 - create 41 - delete 42 - get 43 - update 44 - watch 45 --- 46 # -------------------------------------------------------------------- 47 # This is the Cluster Role binding required by the Coherence Operator 48 # to self-manage its CRDs and Web-Hooks. 49 # -------------------------------------------------------------------- 50 apiVersion: rbac.authorization.k8s.io/v1 51 kind: ClusterRoleBinding 52 metadata: 53 name: coherence-operator-crd-webhook-install 54 namespace: {{ .Release.Namespace }} 55 labels: 56 control-plane: coherence 57 roleRef: 58 apiGroup: rbac.authorization.k8s.io 59 kind: ClusterRole 60 name: coherence-operator-crd-webhook-install 61 subjects: 62 - kind: ServiceAccount 63 name: {{ default "coherence-operator" .Values.serviceAccountName }} 64 namespace: {{ .Release.Namespace }} 65 --- 66 {{- end }} 67 {{- if or (eq .Values.clusterRoles true) (eq .Values.nodeRoles true) }} 68 # ------------------------------------------------------------- 69 # This is the Cluster Roles required by the Coherence Operator 70 # to obtain Node information. 71 # Specifically the operator looks up Node labels to work out 72 # the topology information used by Coherence for site safety. 73 # ------------------------------------------------------------- 74 apiVersion: rbac.authorization.k8s.io/v1 75 kind: ClusterRole 76 metadata: 77 name: coherence-operator-node-viewer 78 namespace: {{ .Release.Namespace }} 79 labels: 80 control-plane: coherence 81 rules: 82 - apiGroups: 83 - "" 84 resources: 85 - nodes 86 verbs: 87 - get 88 --- 89 # --------------------------------------------------------------------- 90 # This is the Cluster Roles binding required by the Coherence Operator 91 # to obtain Node information. 92 # Specifically the operator looks up Node labels to work out 93 # the topology information used by Coherence for site safety. 94 # --------------------------------------------------------------------- 95 apiVersion: rbac.authorization.k8s.io/v1 96 kind: ClusterRoleBinding 97 metadata: 98 name: coherence-operator-node-viewer 99 namespace: {{ .Release.Namespace }} 100 labels: 101 control-plane: coherence 102 roleRef: 103 apiGroup: rbac.authorization.k8s.io 104 kind: ClusterRole 105 name: coherence-operator-node-viewer 106 subjects: 107 - kind: ServiceAccount 108 name: {{ default "coherence-operator" .Values.serviceAccountName }} 109 namespace: {{ .Release.Namespace }} 110 --- 111 {{- end }} 112 # --------------------------------------------------------------------- 113 # This is the Cluster Roles required by the Coherence Operator during 114 # normal operation to manage Coherence clusters. 115 # --------------------------------------------------------------------- 116 apiVersion: rbac.authorization.k8s.io/v1 117 {{- if .Values.clusterRoles }} 118 kind: ClusterRole 119 {{- else }} 120 kind: Role 121 {{- end }} 122 metadata: 123 name: coherence-operator 124 namespace: {{ .Release.Namespace }} 125 labels: 126 control-plane: coherence 127 rules: 128 - apiGroups: 129 - "" 130 resources: 131 - configmaps 132 - endpoints 133 - events 134 - pods 135 - pods/exec 136 - secrets 137 - services 138 verbs: 139 - create 140 - delete 141 - get 142 - list 143 - patch 144 - update 145 - watch 146 - apiGroups: 147 - apps 148 resources: 149 - statefulsets 150 verbs: 151 - create 152 - delete 153 - get 154 - list 155 - patch 156 - update 157 - watch 158 - apiGroups: 159 - batch 160 resources: 161 - jobs 162 verbs: 163 - create 164 - delete 165 - get 166 - list 167 - patch 168 - update 169 - watch 170 - apiGroups: 171 - coherence.oracle.com 172 resources: 173 - coherence 174 - coherence/finalizers 175 - coherence/status 176 verbs: 177 - create 178 - delete 179 - get 180 - list 181 - patch 182 - update 183 - watch 184 - apiGroups: 185 - monitoring.coreos.com 186 resources: 187 - servicemonitors 188 verbs: 189 - create 190 - delete 191 - get 192 - list 193 - patch 194 - update 195 - watch 196 - apiGroups: 197 - cert-manager.io 198 resources: 199 - certificates 200 - issuers 201 verbs: 202 - create 203 - delete 204 - get 205 - list 206 - patch 207 - update 208 - watch 209 --- 210 # --------------------------------------------------------------------- 211 # This is the Cluster Role binding required by the Coherence Operator 212 # during normal operation to manage Coherence clusters. 213 # --------------------------------------------------------------------- 214 apiVersion: rbac.authorization.k8s.io/v1 215 {{- if .Values.clusterRoles }} 216 kind: ClusterRoleBinding 217 {{- else }} 218 kind: RoleBinding 219 {{- end }} 220 metadata: 221 name: coherence-operator 222 namespace: {{ .Release.Namespace }} 223 labels: 224 control-plane: coherence 225 roleRef: 226 apiGroup: rbac.authorization.k8s.io 227 {{- if .Values.clusterRoles }} 228 kind: ClusterRole 229 {{- else }} 230 kind: Role 231 {{- end }} 232 name: coherence-operator 233 subjects: 234 - kind: ServiceAccount 235 name: {{ default "coherence-operator" .Values.serviceAccountName }} 236 namespace: {{ .Release.Namespace }} 237 --- 238 # --------------------------------------------------------------------- 239 # This is the Role required by the Coherence Operator 240 # during normal operation to perform leader election. 241 # --------------------------------------------------------------------- 242 apiVersion: rbac.authorization.k8s.io/v1 243 kind: Role 244 metadata: 245 name: leader-election-role 246 rules: 247 - apiGroups: 248 - "" 249 resources: 250 - configmaps 251 verbs: 252 - get 253 - list 254 - watch 255 - create 256 - update 257 - patch 258 - delete 259 - apiGroups: 260 - coordination.k8s.io 261 resources: 262 - leases 263 verbs: 264 - get 265 - list 266 - watch 267 - create 268 - update 269 - patch 270 - delete 271 - apiGroups: 272 - "" 273 resources: 274 - events 275 verbs: 276 - create 277 - patch 278 --- 279 # --------------------------------------------------------------------- 280 # This is the Role binding required by the Coherence Operator 281 # during normal operation to perform leader election. 282 # --------------------------------------------------------------------- 283 apiVersion: rbac.authorization.k8s.io/v1 284 kind: RoleBinding 285 metadata: 286 name: leader-election-rolebinding 287 roleRef: 288 apiGroup: rbac.authorization.k8s.io 289 kind: Role 290 name: leader-election-role 291 subjects: 292 - kind: ServiceAccount 293 name: {{ default "coherence-operator" .Values.serviceAccountName }} 294 namespace: {{ .Release.Namespace }}