/
cainjector_rbac.libsonnet
91 lines (83 loc) · 2.96 KB
/
cainjector_rbac.libsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
{
local clusterRole = $.rbac.v1beta1.clusterRole,
local rules = clusterRole.rulesType,
cainjector_clusterrole:
clusterRole.new() +
clusterRole.mixin.metadata
.withName('cert-manager-cainjector')
.withNamespace('kube-system')
.withLabels({}/* TODO:labels */) +
clusterRole.withRules(
[
rules.withApiGroups('cert-manager.io')
.withResources(['certificates'])
.withVerbs(['get', 'list', 'watch']),
rules.withApiGroups('')
.withResources(['secrets'])
.withVerbs(['get', 'list', 'watch']),
rules.withApiGroups('')
.withResources(['events'],)
.withVerbs(['get', 'create', 'update', 'patch']),
rules.withApiGroups('admissionregistration.k8s.io')
.withResources(['validatingwebhookconfigurations', 'mutatingwebhookconfigurations'],)
.withVerbs(['get', 'list', 'watch', 'update']),
rules.withApiGroups(['apiregistration.k8s.io'])
.withResources(['apiservices'])
.withVerbs(['get', 'list', 'watch', 'update']),
rules.withApiGroups(['apiextensions.k8s.io'])
.withResources(['customresourcedefinitions'],)
.withVerbs(['get', 'list', 'watch', 'update'],),
]
),
local clusterRoleBinding = $.rbac.v1beta1.clusterRoleBinding,
local roleRef = clusterRoleBinding.roleRefType,
local subjects = clusterRoleBinding.subjectsType,
cainjector_clusterrolebinding:
clusterRoleBinding.new() +
clusterRoleBinding.mixin.metadata
.withName('cert-manager-cainjector')
.withNamespace('kube-system')
.withLabels({}/* TODO: labels */) +
clusterRoleBinding.mixin.roleRef
.withName('cert-manager-cainjector')
.withKind('ClusterRole')
.withApiGroup('rbac.authorization.k8s.io') +
clusterRoleBinding.withSubjects(
subjects.withKind('ServiceAccount')
.withName('cert-manager-cainjector')
.withNamespace($._config.namespace)
),
local role = $.rbac.v1beta1.role,
cainjector_leaderelection_role:
role.new() +
role.mixin.metadata
.withName('cert-manager-cainjector:leaderelection')
.withNamespace('kube-system')
.withLabels({}/* TODO: labels */) +
role.withRules(
[
role.rulesType.new() +
role.rulesType
.withApiGroups('')
.withResources(['configmaps'],)
.withVerbs(['get', 'create', 'update', 'patch']),
],
),
local roleBinding = $.rbac.v1beta1.roleBinding,
cainjector_leaderelection_rolebinding:
roleBinding.new() +
roleBinding.mixin.metadata
.withName('cert-manager-cainjector:leaderelection')
.withNamespace('kube-system')
.withLabels({}/* TODO: labels */) +
roleBinding.mixin.roleRef
.withApiGroup('rbac.authorization.k8s.io')
.withKind('Role')
.withName('cert-manager-cainjector:leaderelection') +
roleBinding.withSubjects(
subjects
.withKind('ServiceAccount')
.withName('cert-manager-cainjector')
.withNamespace($._config.namespace)
),
}