istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/role.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istio-control/istio-discovery/templates/role.yaml (about)

     1  apiVersion: rbac.authorization.k8s.io/v1
     2  kind: Role
     3  metadata:
     4    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
     5    namespace: {{ .Values.global.istioNamespace }}
     6    labels:
     7      app: istiod
     8      release: {{ .Release.Name }}
     9  rules:
    10  # permissions to verify the webhook is ready and rejecting
    11  # invalid config. We use --server-dry-run so no config is persisted.
    12  - apiGroups: ["networking.istio.io"]
    13    verbs: ["create"]
    14    resources: ["gateways"]
    15  
    16  # For storing CA secret
    17  - apiGroups: [""]
    18    resources: ["secrets"]
    19    # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
    20    verbs: ["create", "get", "watch", "list", "update", "delete"]
    21  
    22  # For status controller, so it can delete the distribution report configmap
    23  - apiGroups: [""]
    24    resources: ["configmaps"]
    25    verbs: ["delete"]
    26  
    27  # For gateway deployment controller
    28  - apiGroups: ["coordination.k8s.io"]
    29    resources: ["leases"]
    30    verbs: ["get", "update", "patch", "create"]