diff --git a/Makefile b/Makefile index ba6ad7d2..30b295c7 100644 --- a/Makefile +++ b/Makefile @@ -49,7 +49,7 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate rbac objects. # onmetal-api-net - $(CONTROLLER_GEN) rbac:roleName=manager-role paths="./internal/controllers/..." output:rbac:artifacts:config=config/onmetal-api-net/rbac + $(CONTROLLER_GEN) rbac:roleName=manager-role paths="./internal/controllers/..." output:rbac:artifacts:config=config/controller/rbac # apinetlet $(CONTROLLER_GEN) rbac:roleName=manager-role paths="./apinetlet/controllers/..." output:rbac:artifacts:config=config/apinetlet/rbac @@ -60,8 +60,8 @@ manifests: controller-gen ## Generate rbac objects. CONTROLLER_GEN=$(CONTROLLER_GEN) ./hack/cluster-controller-gen.sh cluster=metalnet rbac:roleName=metalnet-role paths="./metalnetlet/controllers/..." output:rbac:artifacts:config=config/metalnetlet/metalnet-rbac # Promote *let roles. - ./hack/promote-let-role.sh config/apinetlet/apinet-rbac/role.yaml config/onmetal-api-net/rbac/apinetlet_role.yaml apinet.api.onmetal.de:system:apinetlets - ./hack/promote-let-role.sh config/metalnetlet/metalnet-rbac/role.yaml config/onmetal-api-net/rbac/metalnetlet_role.yaml apinet.api.onmetal.de:system:metalnetlet + ./hack/promote-let-role.sh config/apinetlet/apinet-rbac/role.yaml config/apiserver/rbac/apinetlet_role.yaml apinet.api.onmetal.de:system:apinetlets + ./hack/promote-let-role.sh config/metalnetlet/metalnet-rbac/role.yaml config/apiserver/rbac/metalnetlet_role.yaml apinet.api.onmetal.de:system:metalnetlet .PHONY: generate generate: vgopath models-schema deepcopy-gen client-gen lister-gen informer-gen defaulter-gen conversion-gen openapi-gen applyconfiguration-gen diff --git a/config/apiserver/rbac/bucketpool_bootstrapper_role.yaml b/config/apiserver/rbac/apinetlet_bootstrapper_role.yaml similarity index 73% rename from config/apiserver/rbac/bucketpool_bootstrapper_role.yaml rename to config/apiserver/rbac/apinetlet_bootstrapper_role.yaml index 3b3a8a93..ed626dbc 100644 --- a/config/apiserver/rbac/bucketpool_bootstrapper_role.yaml +++ b/config/apiserver/rbac/apinetlet_bootstrapper_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: storage.api.onmetal.de:system:bucketpools-bootstrapper + name: apinet.api.onmetal.de:system:apinetlets-bootstrapper rules: - apiGroups: - certificates.k8s.io @@ -15,6 +15,6 @@ rules: - apiGroups: - certificates.k8s.io resources: - - certificatesigningrequests/bucketpoolclient + - certificatesigningrequests/apinetletclient verbs: - create \ No newline at end of file diff --git a/config/apiserver/rbac/volumepool_bootstrapper_rolebinding.yaml b/config/apiserver/rbac/apinetlet_bootstrapper_rolebinding.yaml similarity index 70% rename from config/apiserver/rbac/volumepool_bootstrapper_rolebinding.yaml rename to config/apiserver/rbac/apinetlet_bootstrapper_rolebinding.yaml index 37f44a7a..6e90c2de 100644 --- a/config/apiserver/rbac/volumepool_bootstrapper_rolebinding.yaml +++ b/config/apiserver/rbac/apinetlet_bootstrapper_rolebinding.yaml @@ -1,14 +1,14 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: storage.api.onmetal.de:system:volumepools-bootstrapper + name: apinet.api.onmetal.de:system:apinetlets-bootstrapper roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: storage.api.onmetal.de:system:volumepools-bootstrapper + name: apinet.api.onmetal.de:system:apinetlets-bootstrapper subjects: - kind: Group # Group name has to match bootstrap group pattern \Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\ # See https://github.com/kubernetes/kubernetes/blob/e8662a46dd27db774ec953dae15f93ae2d1a68c8/staging/src/k8s.io/cluster-bootstrap/token/api/types.go#L96 - name: system:bootstrappers:storage-api-onmetal-de:volumepools + name: system:bootstrappers:apinet-api-onmetal-de:apinetlets apiGroup: rbac.authorization.k8s.io diff --git a/config/onmetal-api-net/rbac/apinetlet_role.yaml b/config/apiserver/rbac/apinetlet_role.yaml similarity index 100% rename from config/onmetal-api-net/rbac/apinetlet_role.yaml rename to config/apiserver/rbac/apinetlet_role.yaml diff --git a/config/apiserver/rbac/volumepool_rolebinding.yaml b/config/apiserver/rbac/apinetlet_rolebinding.yaml similarity index 57% rename from config/apiserver/rbac/volumepool_rolebinding.yaml rename to config/apiserver/rbac/apinetlet_rolebinding.yaml index b0d7c8ac..e30a0558 100644 --- a/config/apiserver/rbac/volumepool_rolebinding.yaml +++ b/config/apiserver/rbac/apinetlet_rolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: storage.api.onmetal.de:system:volumepools + name: apinet.api.onmetal.de:system:apinetlets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: storage.api.onmetal.de:system:volumepools + name: apinet.api.onmetal.de:system:apinetlets subjects: - kind: Group - name: storage.api.onmetal.de:system:volumepools + name: apinet.api.onmetal.de:system:apinetlets apiGroup: rbac.authorization.k8s.io diff --git a/config/apiserver/rbac/apiserver_role.yaml b/config/apiserver/rbac/apiserver_role.yaml index c81e4e95..da71e69e 100644 --- a/config/apiserver/rbac/apiserver_role.yaml +++ b/config/apiserver/rbac/apiserver_role.yaml @@ -12,20 +12,6 @@ rules: - get - list - watch - - apiGroups: - - compute.api.onmetal.de - resources: - - machinepools/proxy - verbs: - - '*' - - apiGroups: - - compute.api.onmetal.de - resources: - - machinepools - verbs: - - get - - list - - watch - apiGroups: - admissionregistration.k8s.io resources: diff --git a/config/apiserver/rbac/bucketpool_role.yaml b/config/apiserver/rbac/bucketpool_role.yaml deleted file mode 100644 index a3c7713f..00000000 --- a/config/apiserver/rbac/bucketpool_role.yaml +++ /dev/null @@ -1,91 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: storage.api.onmetal.de:system:bucketpools -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/bucketpoolclient - verbs: - - create -- apiGroups: - - storage.api.onmetal.de - resources: - - bucketclasses - verbs: - - get - - list - - watch -- apiGroups: - - storage.api.onmetal.de - resources: - - bucketpools - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - storage.api.onmetal.de - resources: - - bucketpools/status - verbs: - - get - - patch - - update -- apiGroups: - - storage.api.onmetal.de - resources: - - buckets - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - storage.api.onmetal.de - resources: - - buckets/finalizers - verbs: - - update -- apiGroups: - - storage.api.onmetal.de - resources: - - buckets/status - verbs: - - get - - patch - - update diff --git a/config/apiserver/rbac/kustomization.yaml b/config/apiserver/rbac/kustomization.yaml index 9abe84ca..4baf35de 100644 --- a/config/apiserver/rbac/kustomization.yaml +++ b/config/apiserver/rbac/kustomization.yaml @@ -5,26 +5,14 @@ resources: - apiserver_role.yaml - apiserver_role_binding.yaml - # MachinePool (bootstrapper) roles - - machinepool_role.yaml - - machinepool_rolebinding.yaml - - machinepool_bootstrapper_role.yaml - - machinepool_bootstrapper_rolebinding.yaml + # APINetlet (bootstrapper) roles + - apinetlet_role.yaml + - apinetlet_rolebinding.yaml + - apinetlet_bootstrapper_role.yaml + - apinetlet_bootstrapper_rolebinding.yaml - # VolumePool (bootstrapper) roles - - volumepool_role.yaml - - volumepool_rolebinding.yaml - - volumepool_bootstrapper_role.yaml - - volumepool_bootstrapper_rolebinding.yaml - - # BucketPool (bootstrapper) roles - - bucketpool_role.yaml - - bucketpool_rolebinding.yaml - - bucketpool_bootstrapper_role.yaml - - bucketpool_bootstrapper_rolebinding.yaml - - # Network Plugin (bootstrapper) roles - - networkplugin_role.yaml - - networkplugin_rolebinding.yaml - - networkplugin_bootstrapper_role.yaml - - networkplugin_bootstrapper_rolebinding.yaml + # Metalnetlet (bootstrapper) roles + - metalnetlet_role.yaml + - metalnetlet_rolebinding.yaml + - metalnetlet_bootstrapper_role.yaml + - metalnetlet_bootstrapper_rolebinding.yaml diff --git a/config/apiserver/rbac/machinepool_bootstrapper_role.yaml b/config/apiserver/rbac/machinepool_bootstrapper_role.yaml deleted file mode 100644 index 65719baa..00000000 --- a/config/apiserver/rbac/machinepool_bootstrapper_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: compute.api.onmetal.de:system:machinepools-bootstrapper -rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/machinepoolclient - verbs: - - create \ No newline at end of file diff --git a/config/apiserver/rbac/machinepool_bootstrapper_rolebinding.yaml b/config/apiserver/rbac/machinepool_bootstrapper_rolebinding.yaml deleted file mode 100644 index cb19a10d..00000000 --- a/config/apiserver/rbac/machinepool_bootstrapper_rolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: compute.api.onmetal.de:system:machinepools-bootstrapper -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: compute.api.onmetal.de:system:machinepools-bootstrapper -subjects: - - kind: Group - # Group name has to match bootstrap group pattern \Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\ - # See https://github.com/kubernetes/kubernetes/blob/e8662a46dd27db774ec953dae15f93ae2d1a68c8/staging/src/k8s.io/cluster-bootstrap/token/api/types.go#L96 - name: system:bootstrappers:compute-api-onmetal-de:machinepools - apiGroup: rbac.authorization.k8s.io diff --git a/config/apiserver/rbac/machinepool_role.yaml b/config/apiserver/rbac/machinepool_role.yaml deleted file mode 100644 index 0a67b671..00000000 --- a/config/apiserver/rbac/machinepool_role.yaml +++ /dev/null @@ -1,139 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: compute.api.onmetal.de:system:machinepools -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/machinepoolclient - verbs: - - create -- apiGroups: - - compute.api.onmetal.de - resources: - - machineclasses - verbs: - - get - - list - - watch -- apiGroups: - - compute.api.onmetal.de - resources: - - machinepools - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - compute.api.onmetal.de - resources: - - machinepools/status - verbs: - - get - - patch - - update -- apiGroups: - - compute.api.onmetal.de - resources: - - machines - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - compute.api.onmetal.de - resources: - - machines/finalizers - verbs: - - update -- apiGroups: - - compute.api.onmetal.de - resources: - - machines/status - verbs: - - get - - patch - - update -- apiGroups: - - ipam.api.onmetal.de - resources: - - prefixes - verbs: - - get - - list - - watch -- apiGroups: - - networking.api.onmetal.de - resources: - - networkinterfaces - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.api.onmetal.de - resources: - - networks - verbs: - - get - - list - - watch -- apiGroups: - - storage.api.onmetal.de - resources: - - volumes - verbs: - - get - - list - - patch - - update - - watch diff --git a/config/apiserver/rbac/machinepool_rolebinding.yaml b/config/apiserver/rbac/machinepool_rolebinding.yaml deleted file mode 100644 index a81f98cc..00000000 --- a/config/apiserver/rbac/machinepool_rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: compute.api.onmetal.de:system:machinepools -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: compute.api.onmetal.de:system:machinepools -subjects: - - kind: Group - name: compute.api.onmetal.de:system:machinepools - apiGroup: rbac.authorization.k8s.io diff --git a/config/apiserver/rbac/volumepool_bootstrapper_role.yaml b/config/apiserver/rbac/metalnetlet_bootstrapper_role.yaml similarity index 73% rename from config/apiserver/rbac/volumepool_bootstrapper_role.yaml rename to config/apiserver/rbac/metalnetlet_bootstrapper_role.yaml index df0e3855..5a7140ae 100644 --- a/config/apiserver/rbac/volumepool_bootstrapper_role.yaml +++ b/config/apiserver/rbac/metalnetlet_bootstrapper_role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: storage.api.onmetal.de:system:volumepools-bootstrapper + name: apinet.api.onmetal.de:system:metalnetlets-bootstrapper rules: - apiGroups: - certificates.k8s.io @@ -15,6 +15,6 @@ rules: - apiGroups: - certificates.k8s.io resources: - - certificatesigningrequests/volumepoolclient + - certificatesigningrequests/metalnetletclient verbs: - create \ No newline at end of file diff --git a/config/apiserver/rbac/bucketpool_bootstrapper_rolebinding.yaml b/config/apiserver/rbac/metalnetlet_bootstrapper_rolebinding.yaml similarity index 71% rename from config/apiserver/rbac/bucketpool_bootstrapper_rolebinding.yaml rename to config/apiserver/rbac/metalnetlet_bootstrapper_rolebinding.yaml index 04a68c72..d40218dc 100644 --- a/config/apiserver/rbac/bucketpool_bootstrapper_rolebinding.yaml +++ b/config/apiserver/rbac/metalnetlet_bootstrapper_rolebinding.yaml @@ -1,14 +1,14 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: storage.api.onmetal.de:system:bucketpools-bootstrapper + name: apinet.api.onmetal.de:system:metalnetlets-bootstrapper roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: storage.api.onmetal.de:system:bucketpools-bootstrapper + name: apinet.api.onmetal.de:system:metalnetlets-bootstrapper subjects: - kind: Group # Group name has to match bootstrap group pattern \Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\ # See https://github.com/kubernetes/kubernetes/blob/e8662a46dd27db774ec953dae15f93ae2d1a68c8/staging/src/k8s.io/cluster-bootstrap/token/api/types.go#L96 - name: system:bootstrappers:storage-api-onmetal-de:bucketpools + name: system:bootstrappers:apinet-api-onmetal-de:metalnetlets apiGroup: rbac.authorization.k8s.io diff --git a/config/onmetal-api-net/rbac/metalnetlet_role.yaml b/config/apiserver/rbac/metalnetlet_role.yaml similarity index 100% rename from config/onmetal-api-net/rbac/metalnetlet_role.yaml rename to config/apiserver/rbac/metalnetlet_role.yaml diff --git a/config/apiserver/rbac/bucketpool_rolebinding.yaml b/config/apiserver/rbac/metalnetlet_rolebinding.yaml similarity index 57% rename from config/apiserver/rbac/bucketpool_rolebinding.yaml rename to config/apiserver/rbac/metalnetlet_rolebinding.yaml index 8a3b6923..c17a00bd 100644 --- a/config/apiserver/rbac/bucketpool_rolebinding.yaml +++ b/config/apiserver/rbac/metalnetlet_rolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: storage.api.onmetal.de:system:bucketpools + name: apinet.api.onmetal.de:system:metalnetlets roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: storage.api.onmetal.de:system:bucketpools + name: apinet.api.onmetal.de:system:metalnetlets subjects: - kind: Group - name: storage.api.onmetal.de:system:bucketpools + name: apinet.api.onmetal.de:system:metalnetlets apiGroup: rbac.authorization.k8s.io diff --git a/config/apiserver/rbac/networkplugin_bootstrapper_role.yaml b/config/apiserver/rbac/networkplugin_bootstrapper_role.yaml deleted file mode 100644 index 891b972c..00000000 --- a/config/apiserver/rbac/networkplugin_bootstrapper_role.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: networking.api.onmetal.de:system:networkplugins-bootstrapper -rules: - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch - - apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/networkpluginclient - verbs: - - create \ No newline at end of file diff --git a/config/apiserver/rbac/networkplugin_bootstrapper_rolebinding.yaml b/config/apiserver/rbac/networkplugin_bootstrapper_rolebinding.yaml deleted file mode 100644 index c92695d6..00000000 --- a/config/apiserver/rbac/networkplugin_bootstrapper_rolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: networking.api.onmetal.de:system:networkplugins-bootstrapper -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: networking.api.onmetal.de:system:networkplugins-bootstrapper -subjects: - - kind: Group - # Group name has to match bootstrap group pattern \Asystem:bootstrappers:[a-z0-9:-]{0,255}[a-z0-9]\ - # See https://github.com/kubernetes/kubernetes/blob/e8662a46dd27db774ec953dae15f93ae2d1a68c8/staging/src/k8s.io/cluster-bootstrap/token/api/types.go#L96 - name: system:bootstrappers:networking-api-onmetal-de:networkplugins - apiGroup: rbac.authorization.k8s.io diff --git a/config/apiserver/rbac/networkplugin_role.yaml b/config/apiserver/rbac/networkplugin_role.yaml deleted file mode 100644 index 640a0c6b..00000000 --- a/config/apiserver/rbac/networkplugin_role.yaml +++ /dev/null @@ -1,140 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: networking.api.onmetal.de:system:networkplugins -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.api.onmetal.de - resources: - - loadbalancers - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.api.onmetal.de - resources: - - loadbalancers/finalizers - verbs: - - patch - - update -- apiGroups: - - networking.api.onmetal.de - resources: - - loadbalancers/status - verbs: - - get - - patch - - update -- apiGroups: - - networking.api.onmetal.de - resources: - - natgateways - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.api.onmetal.de - resources: - - natgateways/finalizers - verbs: - - patch - - update -- apiGroups: - - networking.api.onmetal.de - resources: - - natgateways/status - verbs: - - get - - patch - - update -- apiGroups: - - networking.api.onmetal.de - resources: - - networks - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.api.onmetal.de - resources: - - networks/finalizers - verbs: - - patch - - update -- apiGroups: - - networking.api.onmetal.de - resources: - - networks/status - verbs: - - get - - patch - - update -- apiGroups: - - networking.api.onmetal.de - resources: - - virtualips - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - networking.api.onmetal.de - resources: - - virtualips/finalizers - verbs: - - patch - - update -- apiGroups: - - networking.api.onmetal.de - resources: - - virtualips/status - verbs: - - get - - patch - - update -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/networkpluginclient - verbs: - - create -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - patch - - update - - watch diff --git a/config/apiserver/rbac/networkplugin_rolebinding.yaml b/config/apiserver/rbac/networkplugin_rolebinding.yaml deleted file mode 100644 index a8c36251..00000000 --- a/config/apiserver/rbac/networkplugin_rolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: networking.api.onmetal.de:system:networkplugins -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: networking.api.onmetal.de:system:networkplugins -subjects: - - kind: Group - name: networking.api.onmetal.de:system:networkplugins - apiGroup: rbac.authorization.k8s.io diff --git a/config/apiserver/rbac/volumepool_role.yaml b/config/apiserver/rbac/volumepool_role.yaml deleted file mode 100644 index f6c2c104..00000000 --- a/config/apiserver/rbac/volumepool_role.yaml +++ /dev/null @@ -1,91 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: storage.api.onmetal.de:system:volumepools -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - create - - get - - list - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/volumepoolclient - verbs: - - create -- apiGroups: - - storage.api.onmetal.de - resources: - - volumeclasses - verbs: - - get - - list - - watch -- apiGroups: - - storage.api.onmetal.de - resources: - - volumepools - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - storage.api.onmetal.de - resources: - - volumepools/status - verbs: - - get - - patch - - update -- apiGroups: - - storage.api.onmetal.de - resources: - - volumes - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - storage.api.onmetal.de - resources: - - volumes/finalizers - verbs: - - update -- apiGroups: - - storage.api.onmetal.de - resources: - - volumes/status - verbs: - - get - - patch - - update diff --git a/config/onmetal-api-net/rbac/role.yaml b/config/onmetal-api-net/rbac/role.yaml deleted file mode 100644 index 5acb86ce..00000000 --- a/config/onmetal-api-net/rbac/role.yaml +++ /dev/null @@ -1,190 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - name: manager-role -rules: -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests - verbs: - - get - - list - - watch -- apiGroups: - - certificates.k8s.io - resources: - - certificatesigningrequests/approval - verbs: - - get - - patch - - update -- apiGroups: - - certificates.k8s.io - resourceNames: - - kubernetes.io/kube-apiserver-client - resources: - - signers - verbs: - - approve -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - daemonsets - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - daemonsets/status - verbs: - - get - - patch - - update -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - instances - verbs: - - create - - delete - - deletecollection - - get - - list - - patch - - update - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - ip - verbs: - - get - - list - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - ipaddress - verbs: - - delete - - get - - list - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - loadbalancers - verbs: - - get - - list - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - loadbalancers/status - verbs: - - get - - patch - - update -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - natgateway - verbs: - - get - - list - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - natgateway/status - verbs: - - get - - patch - - update -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - natgatewayautoscalers - verbs: - - get - - list - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - natgatewayautoscalers/status - verbs: - - get - - patch - - update -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - natgateways - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - nattable - verbs: - - create - - get - - list - - patch - - update - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - networkids - verbs: - - delete - - get - - list - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - networkinterfaces - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - networks - verbs: - - get - - list - - watch -- apiGroups: - - core.apinet.api.onmetal.de - resources: - - nodes - verbs: - - get - - list - - watch