istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/clusterrole.yaml (about) 1 {{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} 2 apiVersion: rbac.authorization.k8s.io/v1 3 kind: ClusterRole 4 metadata: 5 name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 6 labels: 7 app: istiod 8 release: {{ .Release.Name }} 9 rules: 10 # sidecar injection controller 11 - apiGroups: ["admissionregistration.k8s.io"] 12 resources: ["mutatingwebhookconfigurations"] 13 verbs: ["get", "list", "watch", "update", "patch"] 14 15 # configuration validation webhook controller 16 - apiGroups: ["admissionregistration.k8s.io"] 17 resources: ["validatingwebhookconfigurations"] 18 verbs: ["get", "list", "watch", "update"] 19 20 # istio configuration 21 # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) 22 # please proceed with caution 23 - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] 24 verbs: ["get", "watch", "list"] 25 resources: ["*"] 26 {{- if .Values.global.istiod.enableAnalysis }} 27 - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] 28 verbs: ["update"] 29 # TODO: should be on just */status but wildcard is not supported 30 resources: ["*"] 31 32 # Needed because status reporter sets the config map owner reference to the istiod pod 33 - apiGroups: [""] 34 verbs: ["update"] 35 resources: ["pods/finalizers"] 36 {{- end }} 37 - apiGroups: ["networking.istio.io"] 38 verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] 39 resources: [ "workloadentries" ] 40 - apiGroups: ["networking.istio.io"] 41 verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] 42 resources: [ "workloadentries/status" ] 43 44 # auto-detect installed CRD definitions 45 - apiGroups: ["apiextensions.k8s.io"] 46 resources: ["customresourcedefinitions"] 47 verbs: ["get", "list", "watch"] 48 49 # discovery and routing 50 - apiGroups: [""] 51 resources: ["pods", "nodes", "services", "namespaces", "endpoints"] 52 verbs: ["get", "list", "watch"] 53 - apiGroups: ["discovery.k8s.io"] 54 resources: ["endpointslices"] 55 verbs: ["get", "list", "watch"] 56 57 {{- if .Values.pilot.taint.enabled }} 58 - apiGroups: [""] 59 resources: ["nodes"] 60 verbs: ["patch"] 61 {{- end }} 62 63 # ingress controller 64 {{- if .Values.global.istiod.enableAnalysis }} 65 - apiGroups: ["extensions", "networking.k8s.io"] 66 resources: ["ingresses"] 67 verbs: ["get", "list", "watch"] 68 - apiGroups: ["extensions", "networking.k8s.io"] 69 resources: ["ingresses/status"] 70 verbs: ["*"] 71 {{- end}} 72 - apiGroups: ["networking.k8s.io"] 73 resources: ["ingresses", "ingressclasses"] 74 verbs: ["get", "list", "watch"] 75 - apiGroups: ["networking.k8s.io"] 76 resources: ["ingresses/status"] 77 verbs: ["*"] 78 79 # required for CA's namespace controller 80 - apiGroups: [""] 81 resources: ["configmaps"] 82 verbs: ["create", "get", "list", "watch", "update"] 83 84 # Istiod and bootstrap. 85 {{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}} 86 {{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }} 87 - apiGroups: ["certificates.k8s.io"] 88 resources: 89 - "certificatesigningrequests" 90 - "certificatesigningrequests/approval" 91 - "certificatesigningrequests/status" 92 verbs: ["update", "create", "get", "delete", "watch"] 93 - apiGroups: ["certificates.k8s.io"] 94 resources: 95 - "signers" 96 resourceNames: 97 {{- range .Values.global.certSigners }} 98 - {{ . | quote }} 99 {{- end }} 100 verbs: ["approve"] 101 {{- end}} 102 103 # Used by Istiod to verify the JWT tokens 104 - apiGroups: ["authentication.k8s.io"] 105 resources: ["tokenreviews"] 106 verbs: ["create"] 107 108 # Used by Istiod to verify gateway SDS 109 - apiGroups: ["authorization.k8s.io"] 110 resources: ["subjectaccessreviews"] 111 verbs: ["create"] 112 113 # Use for Kubernetes Service APIs 114 - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] 115 resources: ["*"] 116 verbs: ["get", "watch", "list"] 117 - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] 118 resources: ["*"] # TODO: should be on just */status but wildcard is not supported 119 verbs: ["update", "patch"] 120 - apiGroups: ["gateway.networking.k8s.io"] 121 resources: ["gatewayclasses"] 122 verbs: ["create", "update", "patch", "delete"] 123 124 # Needed for multicluster secret reading, possibly ingress certs in the future 125 - apiGroups: [""] 126 resources: ["secrets"] 127 verbs: ["get", "watch", "list"] 128 129 # Used for MCS serviceexport management 130 - apiGroups: ["{{ $mcsAPIGroup }}"] 131 resources: ["serviceexports"] 132 verbs: [ "get", "watch", "list", "create", "delete"] 133 134 # Used for MCS serviceimport management 135 - apiGroups: ["{{ $mcsAPIGroup }}"] 136 resources: ["serviceimports"] 137 verbs: ["get", "watch", "list"] 138 --- 139 {{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} 140 apiVersion: rbac.authorization.k8s.io/v1 141 kind: ClusterRole 142 metadata: 143 name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} 144 labels: 145 app: istiod 146 release: {{ .Release.Name }} 147 rules: 148 - apiGroups: ["apps"] 149 verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] 150 resources: [ "deployments" ] 151 - apiGroups: [""] 152 verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] 153 resources: [ "services" ] 154 - apiGroups: [""] 155 verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] 156 resources: [ "serviceaccounts"] 157 {{- end }}