Adding clusterrole and service account config.
Change-Id: I1390da5e3b0b07398834fc382b992d32b40e98dd
Signed-off-by: naman.gupta <naman.gupta@samsung.com>
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: clusterrole
+ app.kubernetes.io/instance: metrics-reader
+ app.kubernetes.io/component: kube-rbac-proxy
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: metrics-reader
+rules:
+- nonResourceURLs:
+ - "/metrics"
+ verbs:
+ - get
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: clusterrole
+ app.kubernetes.io/instance: proxy-role
+ app.kubernetes.io/component: kube-rbac-proxy
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: proxy-role
+rules:
+- apiGroups:
+ - authentication.k8s.io
+ resources:
+ - tokenreviews
+ verbs:
+ - create
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - subjectaccessreviews
+ verbs:
+ - create
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: clusterrolebinding
+ app.kubernetes.io/instance: proxy-rolebinding
+ app.kubernetes.io/component: kube-rbac-proxy
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: proxy-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: proxy-role
+subjects:
+- kind: ServiceAccount
+ name: controller-manager
+ namespace: system
--- /dev/null
+apiVersion: v1
+kind: Service
+metadata:
+ labels:
+ control-plane: controller-manager
+ app.kubernetes.io/name: service
+ app.kubernetes.io/instance: controller-manager-metrics-service
+ app.kubernetes.io/component: kube-rbac-proxy
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: controller-manager-metrics-service
+ namespace: system
+spec:
+ ports:
+ - name: https
+ port: 8443
+ protocol: TCP
+ targetPort: https
+ selector:
+ control-plane: controller-manager
--- /dev/null
+resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 4 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml
--- /dev/null
+# permissions to do leader election.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ labels:
+ app.kubernetes.io/name: role
+ app.kubernetes.io/instance: leader-election-role
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: leader-election-role
+rules:
+- apiGroups:
+ - ""
+ resources:
+ - configmaps
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - coordination.k8s.io
+ resources:
+ - leases
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - update
+ - patch
+ - delete
+- apiGroups:
+ - ""
+ resources:
+ - events
+ verbs:
+ - create
+ - patch
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: rolebinding
+ app.kubernetes.io/instance: leader-election-rolebinding
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: leader-election-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: leader-election-role
+subjects:
+- kind: ServiceAccount
+ name: controller-manager
+ namespace: system
--- /dev/null
+# permissions for end users to edit ricplatforms.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: clusterrole
+ app.kubernetes.io/instance: ricplatform-editor-role
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: ricplatform-editor-role
+rules:
+- apiGroups:
+ - ricdeploy.ricplt.com
+ resources:
+ - ricplatforms
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ricdeploy.ricplt.com
+ resources:
+ - ricplatforms/status
+ verbs:
+ - get
--- /dev/null
+# permissions for end users to view ricplatforms.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ labels:
+ app.kubernetes.io/name: clusterrole
+ app.kubernetes.io/instance: ricplatform-viewer-role
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: ricplatform-viewer-role
+rules:
+- apiGroups:
+ - ricdeploy.ricplt.com
+ resources:
+ - ricplatforms
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - ricdeploy.ricplt.com
+ resources:
+ - ricplatforms/status
+ verbs:
+ - get
--- /dev/null
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: manager-role
+rules:
+- apiGroups:
+ - ricdeploy.ricplt.com
+ resources:
+ - ricplatforms
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ricdeploy.ricplt.com
+ resources:
+ - ricplatforms/finalizers
+ verbs:
+ - update
+- apiGroups:
+ - ricdeploy.ricplt.com
+ resources:
+ - ricplatforms/status
+ verbs:
+ - get
+ - patch
+ - update
--- /dev/null
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+ app.kubernetes.io/name: clusterrolebinding
+ app.kubernetes.io/instance: manager-rolebinding
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: manager-rolebinding
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: manager-role
+subjects:
+- kind: ServiceAccount
+ name: controller-manager
+ namespace: system
--- /dev/null
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app.kubernetes.io/name: serviceaccount
+ app.kubernetes.io/instance: controller-manager-sa
+ app.kubernetes.io/component: rbac
+ app.kubernetes.io/created-by: depriclatest26oct
+ app.kubernetes.io/part-of: depriclatest26oct
+ app.kubernetes.io/managed-by: kustomize
+ name: controller-manager
+ namespace: system