{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ template "kong.fullname" . }}
- namespace: {{ .Release.namespace }}
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
rules:
- configmaps
verbs:
- create
+{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
+{{- end }}
+ # Begin KIC 2.x leader permissions
+ - apiGroups:
+ - ""
+ - coordination.k8s.io
+ resources:
+ - configmaps
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+ - apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
+ - apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - get
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
- name: {{ template "kong.fullname" . }}
- namespace: {{ .Release.Namespace }}
+ name: {{ template "kong.fullname" . }}
+ namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
+{{- if eq (len .Values.ingressController.watchNamespaces) 0 }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
- name: {{ template "kong.fullname" . }}
+ name: {{ template "kong.fullname" . }}
rules:
- - apiGroups:
- - ""
- resources:
- - endpoints
- - nodes
- - pods
- - secrets
- verbs:
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - nodes
- verbs:
- - get
- - apiGroups:
- - ""
- resources:
- - services
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - "extensions"
- - "networking.k8s.io"
- resources:
- - ingresses
- verbs:
- - get
- - list
- - watch
- - apiGroups:
- - ""
- resources:
- - events
- verbs:
- - create
- - patch
- - apiGroups:
- - "extensions"
- - "networking.k8s.io"
- resources:
- - ingresses/status
- verbs:
- - update
- - apiGroups:
- - "configuration.konghq.com"
- resources:
- - kongplugins
- - kongcredentials
- - kongconsumers
- - kongingresses
- verbs:
- - get
- - list
- - watch
+{{ include "kong.kubernetesRBACRules" . }}
+{{ include "kong.kubernetesRBACClusterRules" . }}
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
- name: {{ template "kong.fullname" . }}
+ name: {{ template "kong.fullname" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
- name: {{ template "kong.fullname" . }}
+ name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
- namespace: {{ .Release.Namespace }}
+ namespace: {{ template "kong.namespace" . }}
+{{- else }}
+{{- range .Values.ingressController.watchNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ {{- include "kong.metaLabels" $ | nindent 4 }}
+ name: {{ template "kong.fullname" $ }}-{{ . }}
+ namespace: {{ . }}
+rules:
+{{ include "kong.kubernetesRBACRules" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "kong.fullname" $ }}-{{ . }}
+ labels:
+ {{- include "kong.metaLabels" $ | nindent 4 }}
+ namespace: {{ . }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "kong.fullname" $ }}-{{ . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" $ }}
+ namespace: {{ template "kong.namespace" $ }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+ name: {{ template "kong.fullname" . }}
+rules:
+{{ include "kong.kubernetesRBACClusterRules" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ template "kong.fullname" . }}
+ labels:
+ {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ template "kong.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ template "kong.serviceAccountName" . }}
+ namespace: {{ template "kong.namespace" . }}
+{{- end -}}
{{- end -}}