istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/reader-clusterrole.yaml (about)

     1  {{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }}
     2  apiVersion: rbac.authorization.k8s.io/v1
     3  kind: ClusterRole
     4  metadata:
     5    name: istio-reader-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }}
     6    labels:
     7      app: istio-reader
     8      release: {{ .Release.Name }}
     9  rules:
    10    - apiGroups:
    11        - "config.istio.io"
    12        - "security.istio.io"
    13        - "networking.istio.io"
    14        - "authentication.istio.io"
    15        - "rbac.istio.io"
    16        - "telemetry.istio.io"
    17        - "extensions.istio.io"
    18      resources: ["*"]
    19      verbs: ["get", "list", "watch"]
    20    - apiGroups: [""]
    21      resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"]
    22      verbs: ["get", "list", "watch"]
    23    - apiGroups: ["networking.istio.io"]
    24      verbs: [ "get", "watch", "list" ]
    25      resources: [ "workloadentries" ]
    26    - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
    27      resources: ["gateways"]
    28      verbs: ["get", "watch", "list"]
    29    - apiGroups: ["apiextensions.k8s.io"]
    30      resources: ["customresourcedefinitions"]
    31      verbs: ["get", "list", "watch"]
    32    - apiGroups: ["discovery.k8s.io"]
    33      resources: ["endpointslices"]
    34      verbs: ["get", "list", "watch"]
    35    - apiGroups: ["{{ $mcsAPIGroup }}"]
    36      resources: ["serviceexports"]
    37      verbs: ["get", "list", "watch", "create", "delete"]
    38    - apiGroups: ["{{ $mcsAPIGroup }}"]
    39      resources: ["serviceimports"]
    40      verbs: ["get", "list", "watch"]
    41    - apiGroups: ["apps"]
    42      resources: ["replicasets"]
    43      verbs: ["get", "list", "watch"]
    44    - apiGroups: ["authentication.k8s.io"]
    45      resources: ["tokenreviews"]
    46      verbs: ["create"]
    47    - apiGroups: ["authorization.k8s.io"]
    48      resources: ["subjectaccessreviews"]
    49      verbs: ["create"]
    50  {{- if .Values.global.externalIstiod }}
    51    - apiGroups: [""]
    52      resources: ["configmaps"]
    53      verbs: ["create", "get", "list", "watch", "update"]
    54    - apiGroups: ["admissionregistration.k8s.io"]
    55      resources: ["mutatingwebhookconfigurations"]
    56      verbs: ["get", "list", "watch", "update", "patch"]
    57    - apiGroups: ["admissionregistration.k8s.io"]
    58      resources: ["validatingwebhookconfigurations"]
    59      verbs: ["get", "list", "watch", "update"]
    60  {{- end}}