istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/clusterrole.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/clusterrole.yaml (about)

     1  {{- if .Values.global.configCluster }}
     2  {{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
     3  apiVersion: rbac.authorization.k8s.io/v1
     4  kind: ClusterRole
     5  metadata:
     6    name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
     7    labels:
     8      app: istiod
     9      release: {{ .Release.Name }}
    10  rules:
    11    # sidecar injection controller
    12    - apiGroups: ["admissionregistration.k8s.io"]
    13      resources: ["mutatingwebhookconfigurations"]
    14      verbs: ["get", "list", "watch", "update", "patch"]
    15  
    16    # configuration validation webhook controller
    17    - apiGroups: ["admissionregistration.k8s.io"]
    18      resources: ["validatingwebhookconfigurations"]
    19      verbs: ["get", "list", "watch", "update"]
    20  
    21    # istio configuration
    22    # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382)
    23    # please proceed with caution
    24    - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
    25      verbs: ["get", "watch", "list"]
    26      resources: ["*"]
    27  {{- if .Values.global.istiod.enableAnalysis }}
    28    - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"]
    29      verbs: ["update"]
    30      # TODO: should be on just */status but wildcard is not supported
    31      resources: ["*"]
    32  
    33    # Needed because status reporter sets the config map owner reference to the istiod pod
    34    - apiGroups: [""]
    35      verbs: ["update"]
    36      resources: ["pods/finalizers"]
    37  {{- end }}
    38    - apiGroups: ["networking.istio.io"]
    39      verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    40      resources: [ "workloadentries" ]
    41    - apiGroups: ["networking.istio.io"]
    42      verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    43      resources: [ "workloadentries/status" ]
    44  
    45    # auto-detect installed CRD definitions
    46    - apiGroups: ["apiextensions.k8s.io"]
    47      resources: ["customresourcedefinitions"]
    48      verbs: ["get", "list", "watch"]
    49  
    50    # discovery and routing
    51    - apiGroups: [""]
    52      resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
    53      verbs: ["get", "list", "watch"]
    54    - apiGroups: ["discovery.k8s.io"]
    55      resources: ["endpointslices"]
    56      verbs: ["get", "list", "watch"]
    57  
    58  {{- if .Values.pilot.taint.enabled }}
    59    - apiGroups: [""]
    60      resources: ["nodes"]
    61      verbs: ["patch"]
    62  {{- end }}
    63  
    64    # ingress controller
    65  {{- if .Values.global.istiod.enableAnalysis }}
    66    - apiGroups: ["extensions", "networking.k8s.io"]
    67      resources: ["ingresses"]
    68      verbs: ["get", "list", "watch"]
    69    - apiGroups: ["extensions", "networking.k8s.io"]
    70      resources: ["ingresses/status"]
    71      verbs: ["*"]
    72  {{- end}}
    73    - apiGroups: ["networking.k8s.io"]
    74      resources: ["ingresses", "ingressclasses"]
    75      verbs: ["get", "list", "watch"]
    76    - apiGroups: ["networking.k8s.io"]
    77      resources: ["ingresses/status"]
    78      verbs: ["*"]
    79  
    80    # required for CA's namespace controller
    81    - apiGroups: [""]
    82      resources: ["configmaps"]
    83      verbs: ["create", "get", "list", "watch", "update"]
    84  
    85    # Istiod and bootstrap.
    86  {{- $omitCertProvidersForClusterRole := list "istiod" "custom" "none"}}
    87  {{- if or .Values.pilot.env.EXTERNAL_CA (not (has .Values.global.pilotCertProvider $omitCertProvidersForClusterRole)) }}
    88    - apiGroups: ["certificates.k8s.io"]
    89      resources:
    90        - "certificatesigningrequests"
    91        - "certificatesigningrequests/approval"
    92        - "certificatesigningrequests/status"
    93      verbs: ["update", "create", "get", "delete", "watch"]
    94    - apiGroups: ["certificates.k8s.io"]
    95      resources:
    96        - "signers"
    97      resourceNames:
    98  {{- range .Values.global.certSigners }}
    99      - {{ . | quote }}
   100  {{- end }}
   101      verbs: ["approve"]
   102  {{- end}}
   103  
   104    # Used by Istiod to verify the JWT tokens
   105    - apiGroups: ["authentication.k8s.io"]
   106      resources: ["tokenreviews"]
   107      verbs: ["create"]
   108  
   109    # Used by Istiod to verify gateway SDS
   110    - apiGroups: ["authorization.k8s.io"]
   111      resources: ["subjectaccessreviews"]
   112      verbs: ["create"]
   113  
   114    # Use for Kubernetes Service APIs
   115    - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
   116      resources: ["*"]
   117      verbs: ["get", "watch", "list"]
   118    - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
   119      resources: ["*"] # TODO: should be on just */status but wildcard is not supported
   120      verbs: ["update", "patch"]
   121    - apiGroups: ["gateway.networking.k8s.io"]
   122      resources: ["gatewayclasses"]
   123      verbs: ["create", "update", "patch", "delete"]
   124  
   125    # Needed for multicluster secret reading, possibly ingress certs in the future
   126    - apiGroups: [""]
   127      resources: ["secrets"]
   128      verbs: ["get", "watch", "list"]
   129  
   130    # Used for MCS serviceexport management
   131    - apiGroups: ["{{ $mcsAPIGroup }}"]
   132      resources: ["serviceexports"]
   133      verbs: [ "get", "watch", "list", "create", "delete"]
   134  
   135    # Used for MCS serviceimport management
   136    - apiGroups: ["{{ $mcsAPIGroup }}"]
   137      resources: ["serviceimports"]
   138      verbs: ["get", "watch", "list"]
   139  ---
   140  {{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }}
   141  apiVersion: rbac.authorization.k8s.io/v1
   142  kind: ClusterRole
   143  metadata:
   144    name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
   145    labels:
   146      app: istiod
   147      release: {{ .Release.Name }}
   148  rules:
   149    - apiGroups: ["apps"]
   150      verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
   151      resources: [ "deployments" ]
   152    - apiGroups: [""]
   153      verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
   154      resources: [ "services" ]
   155    - apiGroups: [""]
   156      verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
   157      resources: [ "serviceaccounts"]
   158  {{- end }}
   159  {{- end }}