cert-manager-webhook-dnsimple/deploy/example-webhook/templates/rbac.yaml

116 lines
No EOL
3.7 KiB
YAML

apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
# Grant the webhook permission to read the api-token Secret in the specified namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: {{ .Release.Namespace | quote }}
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
namespace: {{ .Release.Namespace | quote }}
subjects:
- kind: ServiceAccount
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
roleRef:
kind: Role
name: {{ include "dnsimple-webhook.fullname" . }}:access-secret
apiGroup: rbac.authorization.k8s.io
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:webhook-authentication-reader
namespace: kube-system
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# apiserver gets the auth-delegator role to delegate auth decisions to
# the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:auth-delegator
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "dnsimple-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- {{ .Values.groupName }}
resources:
- '*'
verbs:
- 'create'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
labels:
app: {{ include "dnsimple-webhook.name" . }}
chart: {{ include "dnsimple-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "dnsimple-webhook.fullname" . }}:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ .Values.certManager.serviceAccountName }}
namespace: {{ .Values.certManager.namespace }}