k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cluster/addons/calico-policy-controller/calico-clusterrole.yaml (about) 1 kind: ClusterRole 2 apiVersion: rbac.authorization.k8s.io/v1 3 metadata: 4 name: calico 5 namespace: kube-system 6 labels: 7 addonmanager.kubernetes.io/mode: Reconcile 8 rules: 9 # The CNI plugin needs to get pods, nodes, and namespaces. 10 - apiGroups: [""] 11 resources: 12 - pods 13 - nodes 14 - namespaces 15 verbs: 16 - get 17 # calico/node checks configmaps for cluster CIDR. 18 - apiGroups: [""] 19 resources: 20 - configmaps 21 verbs: 22 - get 23 - apiGroups: [""] 24 resources: 25 - endpoints 26 - services 27 verbs: 28 # Used to discover service IPs for advertisement. 29 - watch 30 - list 31 # Used to discover Typhas. 32 - get 33 - apiGroups: [""] 34 resources: 35 - nodes/status 36 verbs: 37 # Needed for clearing NodeNetworkUnavailable flag. 38 - patch 39 # Calico stores some configuration information in node annotations. 40 - update 41 # Watch for changes to Kubernetes NetworkPolicies. 42 - apiGroups: ["networking.k8s.io"] 43 resources: 44 - networkpolicies 45 verbs: 46 - watch 47 - list 48 # Used by Calico for policy information. 49 - apiGroups: [""] 50 resources: 51 - pods 52 - namespaces 53 - serviceaccounts 54 verbs: 55 - list 56 - watch 57 # The CNI plugin patches pods/status. 58 - apiGroups: [""] 59 resources: 60 - pods/status 61 verbs: 62 - patch 63 # Calico monitors various CRDs for config. 64 # Note: Though we are not using ipam from calico, calico node still needs those permissions 65 # to boot. 66 - apiGroups: ["crd.projectcalico.org"] 67 resources: 68 - globalfelixconfigs 69 - felixconfigurations 70 - bgppeers 71 - globalbgpconfigs 72 - bgpconfigurations 73 - ippools 74 - ipamblocks 75 - globalnetworkpolicies 76 - globalnetworksets 77 - networkpolicies 78 - networksets 79 - clusterinformations 80 - hostendpoints 81 verbs: 82 - get 83 - list 84 - watch 85 # Calico must create and update some CRDs on startup. 86 - apiGroups: ["crd.projectcalico.org"] 87 resources: 88 - ippools 89 - felixconfigurations 90 - clusterinformations 91 verbs: 92 - create 93 - update 94 # Calico stores some configuration information on the node. 95 - apiGroups: [""] 96 resources: 97 - nodes 98 verbs: 99 - get 100 - list 101 - watch 102 # These permissions are only required for upgrade from v2.6, and can 103 # be removed after upgrade or on fresh installations. 104 - apiGroups: ["crd.projectcalico.org"] 105 resources: 106 - bgpconfigurations 107 - bgppeers 108 verbs: 109 - create 110 - update 111 # These permissions are required for Calico CNI to perform IPAM allocations. 112 - apiGroups: ["crd.projectcalico.org"] 113 resources: 114 - blockaffinities 115 - ipamblocks 116 - ipamhandles 117 verbs: 118 - get 119 - list 120 - create 121 - update 122 - delete 123 - apiGroups: ["crd.projectcalico.org"] 124 resources: 125 - ipamconfigs 126 verbs: 127 - get 128 # Block affinities must also be watchable by confd for route aggregation. 129 - apiGroups: ["crd.projectcalico.org"] 130 resources: 131 - blockaffinities 132 verbs: 133 - watch 134 # The Calico IPAM migration needs to get daemonsets. These permissions can be 135 # removed if not upgrading from an installation using host-local IPAM. 136 - apiGroups: ["apps"] 137 resources: 138 - daemonsets 139 verbs: 140 - get