istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/role.yaml

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/manifests/charts/istiod-remote/templates/role.yaml (about)

     1  {{- if .Values.global.configCluster }}
     2  apiVersion: rbac.authorization.k8s.io/v1
     3  kind: Role
     4  metadata:
     5    name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}
     6    namespace: {{ .Values.global.istioNamespace }}
     7    labels:
     8      app: istiod
     9      release: {{ .Release.Name }}
    10  rules:
    11  # permissions to verify the webhook is ready and rejecting
    12  # invalid config. We use --server-dry-run so no config is persisted.
    13  - apiGroups: ["networking.istio.io"]
    14    verbs: ["create"]
    15    resources: ["gateways"]
    16  
    17  # For storing CA secret
    18  - apiGroups: [""]
    19    resources: ["secrets"]
    20    # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config
    21    verbs: ["create", "get", "watch", "list", "update", "delete"]
    22  
    23  # For status controller, so it can delete the distribution report configmap
    24  - apiGroups: [""]
    25    resources: ["configmaps"]
    26    verbs: ["delete"]
    27  
    28  # For gateway deployment controller
    29  - apiGroups: ["coordination.k8s.io"]
    30    resources: ["leases"]
    31    verbs: ["get", "update", "patch", "create"]
    32  {{- end }}