Adding clusterrole and service account config.

Adding clusterrole and service account config.

Change-Id: I1390da5e3b0b07398834fc382b992d32b40e98dd
Signed-off-by: naman.gupta <naman.gupta@samsung.com>

diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_client_clusterrole.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_client_clusterrole.yaml
new file mode 100644 (file)
index 0000000..04d5318
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/auth_proxy_client_clusterrole.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: metrics-reader
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: metrics-reader
+rules:
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_role.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_role.yaml
new file mode 100644 (file)
index 0000000..cd3d60f
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/auth_proxy_role.yaml
@@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: proxy-role
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: proxy-role
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create

diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_role_binding.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_role_binding.yaml
new file mode 100644 (file)
index 0000000..c534aee
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/auth_proxy_role_binding.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: proxy-rolebinding
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: proxy-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: proxy-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

diff --git a/depRicKubernetesOperator/config/rbac/auth_proxy_service.yaml b/depRicKubernetesOperator/config/rbac/auth_proxy_service.yaml
new file mode 100644 (file)
index 0000000..a130714
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/auth_proxy_service.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    control-plane: controller-manager
+    app.kubernetes.io/name: service
+    app.kubernetes.io/instance: controller-manager-metrics-service
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager-metrics-service
+  namespace: system
+spec:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  selector:
+    control-plane: controller-manager

diff --git a/depRicKubernetesOperator/config/rbac/kustomization.yaml b/depRicKubernetesOperator/config/rbac/kustomization.yaml
new file mode 100644 (file)
index 0000000..731832a
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/kustomization.yaml
@@ -0,0 +1,18 @@
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 4 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml

diff --git a/depRicKubernetesOperator/config/rbac/leader_election_role.yaml b/depRicKubernetesOperator/config/rbac/leader_election_role.yaml
new file mode 100644 (file)
index 0000000..0321d5e
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/leader_election_role.yaml
@@ -0,0 +1,44 @@
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/name: role
+    app.kubernetes.io/instance: leader-election-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: leader-election-role
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

diff --git a/depRicKubernetesOperator/config/rbac/leader_election_role_binding.yaml b/depRicKubernetesOperator/config/rbac/leader_election_role_binding.yaml
new file mode 100644 (file)
index 0000000..7ec1d57
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/leader_election_role_binding.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rolebinding
+    app.kubernetes.io/instance: leader-election-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: leader-election-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: leader-election-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

diff --git a/depRicKubernetesOperator/config/rbac/ricplatform_editor_role.yaml b/depRicKubernetesOperator/config/rbac/ricplatform_editor_role.yaml
new file mode 100644 (file)
index 0000000..e6932d1
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/ricplatform_editor_role.yaml
@@ -0,0 +1,31 @@
+# permissions for end users to edit ricplatforms.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: ricplatform-editor-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: ricplatform-editor-role
+rules:
+- apiGroups:
+  - ricdeploy.ricplt.com
+  resources:
+  - ricplatforms
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ricdeploy.ricplt.com
+  resources:
+  - ricplatforms/status
+  verbs:
+  - get

diff --git a/depRicKubernetesOperator/config/rbac/ricplatform_viewer_role.yaml b/depRicKubernetesOperator/config/rbac/ricplatform_viewer_role.yaml
new file mode 100644 (file)
index 0000000..6301141
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/ricplatform_viewer_role.yaml
@@ -0,0 +1,27 @@
+# permissions for end users to view ricplatforms.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrole
+    app.kubernetes.io/instance: ricplatform-viewer-role
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: ricplatform-viewer-role
+rules:
+- apiGroups:
+  - ricdeploy.ricplt.com
+  resources:
+  - ricplatforms
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ricdeploy.ricplt.com
+  resources:
+  - ricplatforms/status
+  verbs:
+  - get

diff --git a/depRicKubernetesOperator/config/rbac/role.yaml b/depRicKubernetesOperator/config/rbac/role.yaml
new file mode 100644 (file)
index 0000000..8c08d40
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/role.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: manager-role
+rules:
+- apiGroups:
+  - ricdeploy.ricplt.com
+  resources:
+  - ricplatforms
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ricdeploy.ricplt.com
+  resources:
+  - ricplatforms/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - ricdeploy.ricplt.com
+  resources:
+  - ricplatforms/status
+  verbs:
+  - get
+  - patch
+  - update

diff --git a/depRicKubernetesOperator/config/rbac/role_binding.yaml b/depRicKubernetesOperator/config/rbac/role_binding.yaml
new file mode 100644 (file)
index 0000000..0966bed
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/role_binding.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: manager-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

diff --git a/depRicKubernetesOperator/config/rbac/service_account.yaml b/depRicKubernetesOperator/config/rbac/service_account.yaml
new file mode 100644 (file)
index 0000000..1556b3f
--- /dev/null
+++ b/depRicKubernetesOperator/config/rbac/service_account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: controller-manager-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: depriclatest26oct
+    app.kubernetes.io/part-of: depriclatest26oct
+    app.kubernetes.io/managed-by: kustomize
+  name: controller-manager
+  namespace: system