From ebb42b282045639c8b3102d1025ad89d7845770c Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Wed, 3 Apr 2024 12:47:50 -0500 Subject: [PATCH] And more rbac. --- .../webhook-dnsimple/app/rbac.yaml | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml index 09ebe32f..4c65958b 100644 --- a/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml +++ b/kubernetes/apps/cert-manager/webhook-dnsimple/app/rbac.yaml @@ -22,6 +22,26 @@ rules: verbs: - 'create' --- +# Grant the webhook permission to read the ConfigMap containing the Kubernetes +# apiserver's requestheader-ca-certificate. +# This ConfigMap is automatically created by the Kubernetes apiserver. +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: webhook-dnsimple:webhook-authentication-reader + namespace: kube-system + labels: + app: cert-manager-webhook-dnsimple +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader +subjects: + - apiGroup: "" + kind: ServiceAccount + name: webhook-dnsimple + namespace: cert-manager +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: