theshire/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml

120 lines
3 KiB
YAML
Raw Normal View History

---
# Grant cert-manager permission to validate using our apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: webhook-dnsimple:domain-solver
labels:
app: cert-manager-webhook-dnsimple
rules:
- apiGroups:
- acme.hsn.dev
resources:
- '*'
verbs:
- 'create'
---
2024-04-03 12:38:35 -05:00
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flow-schema-reader
labels:
app: cert-manager-webhook-dnsimple
rules:
- apiGroups: ["flowcontrol.apiserver.k8s.io"]
resources: ["flowschemas", "prioritylevelconfigurations"]
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: grant-flow-schema-permission
labels:
app: cert-manager-webhook-dnsimple
subjects:
- kind: ServiceAccount
name: webhook-dnsimple
namespace: cert-manager
roleRef:
kind: ClusterRole
name: flow-schema-reader
apiGroup: rbac.authorization.k8s.io
---
# apiserver gets the auth-delegator role to delegate auth decisions to the core apiserver
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: webhook-dnsimple:auth-delegator
labels:
app: cert-manager-webhook-dnsimple
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- apiGroup: ""
kind: ServiceAccount
name: webhook-dnsimple
namespace: cert-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: webhook-dnsimple:domain-solver
labels:
app: cert-manager-webhook-dnsimple
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: webhook-dnsimple:domain-solver
subjects:
- apiGroup: ""
kind: ServiceAccount
2024-04-03 14:06:50 -05:00
name: cert-manager
namespace: cert-manager
---
# Grant the webhook permission to read the api-token Secret in the specified namespace.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: "cert-manager"
name: webhook-dnsimple:access-secret
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "watch"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: webhook-dnsimple:access-secret
namespace: "cert-manager"
subjects:
- kind: ServiceAccount
name: webhook-dnsimple
namespace: "cert-manager"
roleRef:
kind: Role
name: webhook-dnsimple:access-secret
apiGroup: rbac.authorization.k8s.io
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: webhook-dnsimple:webhook-authentication-reader
namespace: kube-system
labels:
app: cert-manager-webhook-dnsimple
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: extension-apiserver-authentication-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: webhook-dnsimple
namespace: cert-manager