open-cluster-management.io/governance-policy-propagator@v0.13.0/deploy/operator.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: governance-policy-propagator 5 namespace: open-cluster-management 6 --- 7 apiVersion: rbac.authorization.k8s.io/v1 8 kind: Role 9 metadata: 10 name: governance-policy-propagator-leader-election-role 11 rules: 12 - apiGroups: 13 - coordination.k8s.io 14 resources: 15 - leases 16 verbs: 17 - get 18 - list 19 - watch 20 - create 21 - update 22 - patch 23 - delete 24 - apiGroups: 25 - "" 26 resources: 27 - events 28 verbs: 29 - create 30 - patch 31 --- 32 apiVersion: rbac.authorization.k8s.io/v1 33 kind: ClusterRole 34 metadata: 35 name: governance-policy-propagator 36 rules: 37 - apiGroups: 38 - '*' 39 resources: 40 - '*' 41 verbs: 42 - get 43 - list 44 - watch 45 - apiGroups: 46 - apps.open-cluster-management.io 47 resources: 48 - placementrules 49 verbs: 50 - get 51 - list 52 - watch 53 - apiGroups: 54 - authorization.k8s.io 55 resources: 56 - subjectaccessreviews 57 verbs: 58 - create 59 - apiGroups: 60 - cluster.open-cluster-management.io 61 resources: 62 - managedclusters 63 - placementdecisions 64 - placements 65 verbs: 66 - get 67 - list 68 - watch 69 - apiGroups: 70 - config.openshift.io 71 resourceNames: 72 - cluster 73 resources: 74 - dnses 75 verbs: 76 - get 77 - apiGroups: 78 - "" 79 resources: 80 - events 81 verbs: 82 - create 83 - delete 84 - get 85 - list 86 - patch 87 - update 88 - watch 89 - apiGroups: 90 - "" 91 resources: 92 - secrets 93 verbs: 94 - create 95 - apiGroups: 96 - "" 97 resourceNames: 98 - governance-policy-database 99 resources: 100 - secrets 101 verbs: 102 - get 103 - list 104 - watch 105 - apiGroups: 106 - "" 107 resourceNames: 108 - policy-encryption-key 109 resources: 110 - secrets 111 verbs: 112 - get 113 - list 114 - update 115 - watch 116 - apiGroups: 117 - policy.open-cluster-management.io 118 resources: 119 - placementbindings 120 verbs: 121 - create 122 - delete 123 - get 124 - list 125 - patch 126 - update 127 - watch 128 - apiGroups: 129 - policy.open-cluster-management.io 130 resources: 131 - policies 132 verbs: 133 - create 134 - delete 135 - get 136 - list 137 - patch 138 - update 139 - watch 140 - apiGroups: 141 - policy.open-cluster-management.io 142 resources: 143 - policies/finalizers 144 verbs: 145 - update 146 - apiGroups: 147 - policy.open-cluster-management.io 148 resources: 149 - policies/status 150 verbs: 151 - get 152 - patch 153 - update 154 - apiGroups: 155 - policy.open-cluster-management.io 156 resources: 157 - policyautomations 158 verbs: 159 - create 160 - delete 161 - get 162 - list 163 - patch 164 - update 165 - watch 166 - apiGroups: 167 - policy.open-cluster-management.io 168 resources: 169 - policyautomations/finalizers 170 verbs: 171 - update 172 - apiGroups: 173 - policy.open-cluster-management.io 174 resources: 175 - policyautomations/status 176 verbs: 177 - get 178 - patch 179 - update 180 - apiGroups: 181 - policy.open-cluster-management.io 182 resources: 183 - policysets 184 verbs: 185 - create 186 - delete 187 - get 188 - list 189 - patch 190 - update 191 - watch 192 - apiGroups: 193 - policy.open-cluster-management.io 194 resources: 195 - policysets/finalizers 196 verbs: 197 - update 198 - apiGroups: 199 - policy.open-cluster-management.io 200 resources: 201 - policysets/status 202 verbs: 203 - get 204 - patch 205 - update 206 - apiGroups: 207 - tower.ansible.com 208 resources: 209 - ansiblejobs 210 verbs: 211 - create 212 - delete 213 - deletecollection 214 - get 215 - list 216 - patch 217 - update 218 - watch 219 --- 220 apiVersion: rbac.authorization.k8s.io/v1 221 kind: RoleBinding 222 metadata: 223 name: governance-policy-propagator-leader-election-rolebinding 224 roleRef: 225 apiGroup: rbac.authorization.k8s.io 226 kind: Role 227 name: governance-policy-propagator-leader-election-role 228 subjects: 229 - kind: ServiceAccount 230 name: governance-policy-propagator 231 namespace: open-cluster-management 232 --- 233 apiVersion: rbac.authorization.k8s.io/v1 234 kind: ClusterRoleBinding 235 metadata: 236 name: governance-policy-propagator-global 237 roleRef: 238 apiGroup: rbac.authorization.k8s.io 239 kind: ClusterRole 240 name: governance-policy-propagator 241 subjects: 242 - kind: ServiceAccount 243 name: governance-policy-propagator 244 namespace: open-cluster-management 245 --- 246 apiVersion: v1 247 kind: Service 248 metadata: 249 name: governance-compliance-api 250 spec: 251 ports: 252 - port: 8384 253 protocol: TCP 254 targetPort: 8384 255 selector: 256 name: governance-policy-propagator 257 --- 258 apiVersion: apps/v1 259 kind: Deployment 260 metadata: 261 labels: 262 webhook-origin: governance-policy-propagator 263 name: governance-policy-propagator 264 spec: 265 replicas: 1 266 selector: 267 matchLabels: 268 name: governance-policy-propagator 269 webhook-origin: governance-policy-propagator 270 template: 271 metadata: 272 annotations: 273 kubectl.kubernetes.io/default-container: governance-policy-propagator 274 labels: 275 name: governance-policy-propagator 276 webhook-origin: governance-policy-propagator 277 spec: 278 containers: 279 - args: 280 - --health-probe-bind-address=:8081 281 - --metrics-bind-address=:8383 282 - --leader-elect 283 - --compliance-history-api-host=0.0.0.0 284 command: 285 - governance-policy-propagator 286 env: 287 - name: WATCH_NAMESPACE 288 value: "" 289 - name: POD_NAME 290 valueFrom: 291 fieldRef: 292 fieldPath: metadata.name 293 - name: OPERATOR_NAME 294 value: governance-policy-propagator 295 - name: WATCH_NAMESPACE_COMPLIANCE_EVENTS_STORE 296 valueFrom: 297 fieldRef: 298 fieldPath: metadata.namespace 299 image: quay.io/open-cluster-management/governance-policy-propagator:latest 300 imagePullPolicy: Always 301 name: governance-policy-propagator 302 ports: 303 - containerPort: 8383 304 name: http 305 protocol: TCP 306 - containerPort: 8384 307 name: compliance-api 308 protocol: TCP 309 - containerPort: 9443 310 name: webhook-http 311 protocol: TCP 312 volumeMounts: 313 - mountPath: /tmp/k8s-webhook-server/serving-certs 314 name: cert 315 readOnly: true 316 serviceAccountName: governance-policy-propagator 317 volumes: 318 - name: cert 319 secret: 320 defaultMode: 420 321 secretName: propagator-webhook-server-cert