istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-cni/templates/clusterrole.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-cni/templates/clusterrole.yaml (about)

     1  apiVersion: rbac.authorization.k8s.io/v1
     2  kind: ClusterRole
     3  metadata:
     4    name: {{ template "name" . }}
     5    labels:
     6      app: {{ template "name" . }}
     7      release: {{ .Release.Name }}
     8      istio.io/rev: {{ .Values.revision | default "default" }}
     9      install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    10      operator.istio.io/component: "Cni"
    11  rules:
    12  - apiGroups: [""]
    13    resources: ["pods","nodes","namespaces"]
    14    verbs: ["get", "list", "watch"]
    15  {{- if (eq .Values.platform "openshift") }}
    16  - apiGroups: ["security.openshift.io"]
    17    resources: ["securitycontextconstraints"]
    18    resourceNames: ["privileged"]
    19    verbs: ["use"]
    20  {{- end }}
    21  ---
    22  {{- if .Values.cni.repair.enabled }}
    23  apiVersion: rbac.authorization.k8s.io/v1
    24  kind: ClusterRole
    25  metadata:
    26    name: {{ template "name" . }}-repair-role
    27    labels:
    28      app: {{ template "name" . }}
    29      release: {{ .Release.Name }}
    30      istio.io/rev: {{ .Values.revision | default "default" }}
    31      install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    32      operator.istio.io/component: "Cni"
    33  rules:
    34    - apiGroups: [""]
    35      resources: ["events"]
    36      verbs: ["create", "patch"]
    37    - apiGroups: [""]
    38      resources: ["pods"]
    39      verbs: ["watch", "get", "list"]
    40  {{- if .Values.cni.repair.repairPods }}
    41  {{- /*  No privileges needed*/}}
    42  {{- else if .Values.cni.repair.deletePods }}
    43    - apiGroups: [""]
    44      resources: ["pods"]
    45      verbs: ["delete"]
    46  {{- else if .Values.cni.repair.labelPods }}
    47    - apiGroups: [""]
    48      {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
    49      resources: ["pods/status"]
    50      verbs: ["patch", "update"]
    51  {{- end }}
    52  {{- end }}
    53  ---
    54  {{- if .Values.cni.ambient.enabled }}
    55  apiVersion: rbac.authorization.k8s.io/v1
    56  kind: ClusterRole
    57  metadata:
    58    name: {{ template "name" . }}-ambient
    59    labels:
    60      app: {{ template "name" . }}
    61      release: {{ .Release.Name }}
    62      istio.io/rev: {{ .Values.revision | default "default" }}
    63      install.operator.istio.io/owning-resource: {{ .Values.ownerName | default "unknown" }}
    64      operator.istio.io/component: "Cni"
    65  rules:
    66  - apiGroups: [""]
    67    {{- /* pods/status is less privileged than the full pod, and either can label. So use the lower pods/status */}}
    68    resources: ["pods/status"]
    69    verbs: ["patch", "update"]
    70  {{- end }}