-
Notifications
You must be signed in to change notification settings - Fork 20
/
200-clusterrole.yaml
115 lines (114 loc) · 3.61 KB
/
200-clusterrole.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Copyright 2020 VMware, Inc.
# SPDX-License-Identifier: Apache-2.0
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-binding-admin
labels:
bindings.labs.vmware.com/release: devel
aggregationRule:
clusterRoleSelectors:
- matchLabels:
bindings.labs.vmware.com/admin: "true"
- matchLabels:
servicebinding.io/controller: "true"
# legacy support
- matchLabels:
service.binding/controller: "true"
# rules are automatically filled in at runtime.
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-binding-core
labels:
bindings.labs.vmware.com/release: devel
bindings.labs.vmware.com/admin: "true"
rules:
- apiGroups: [""]
resources: ["configmaps", "services", "secrets", "events", "namespaces"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "deployments/finalizers"] # finalizers are needed for the owner reference of the webhook
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-binding-crd
labels:
bindings.labs.vmware.com/release: devel
bindings.labs.vmware.com/admin: "true"
rules:
- apiGroups: ["servicebinding.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["bindings.labs.vmware.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["internal.bindings.labs.vmware.com"]
resources: ["*"]
verbs: ["*"]
---
# This piece of the aggregated cluster role enables us to bind to the built-in
# Kubernetes apps resources
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-binding-apps
labels:
bindings.labs.vmware.com/release: devel
servicebinding.io/controller: "true"
rules:
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "statefulsets"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "update", "patch"]
---
# This piece of the aggregated cluster role enables us to bind to
# Knative service resources
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: service-binding-knative-serving
labels:
bindings.labs.vmware.com/release: devel
servicebinding.io/controller: "true"
rules:
- apiGroups: ["serving.knative.dev"]
resources: ["services", "configurations"]
verbs: ["get", "list", "watch", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: service-binding-app-viewer
labels:
# Add these permissions to the "app-viewer" role.
apps.tanzu.vmware.com/aggregate-to-app-viewer: "true"
rules:
- apiGroups: ["servicebinding.io"]
resources: ["servicebindings"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: service-binding-provisioned-services
labels:
servicebinding.io/controller: "true"
rules:
- apiGroups: ["bindings.labs.vmware.com"]
resources: ["provisionedservices"]
verbs: ["get","list","watch"]