constellation/internal/helm/charts/cilium/templates/cilium-operator/clusterrole.yaml

295 lines
6.0 KiB
YAML
Raw Normal View History

2022-08-12 04:20:19 -04:00
{{- if and .Values.operator.enabled .Values.serviceAccounts.operator.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium-operator
{{- with .Values.operator.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
app.kubernetes.io/part-of: cilium
2022-08-12 04:20:19 -04:00
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
{{- if hasKey .Values "disableEndpointCRD" }}
{{- if not .Values.disableEndpointCRD }}
2022-08-12 04:20:19 -04:00
{{- if (and .Values.operator.unmanagedPodWatcher.restart (ne (.Values.operator.unmanagedPodWatcher.intervalSeconds | int64) 0 ) ) }}
# to automatically delete [core|kube]dns pods so that are starting to being
# managed by Cilium
- delete
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.operator.removeNodeTaints .Values.operator.setNodeNetworkStatus (include "hasDuration" .Values.operator.endpointGCInterval) }}
2022-08-12 04:20:19 -04:00
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
{{- end }}
{{- if or .Values.operator.removeNodeTaints .Values.operator.setNodeNetworkStatus }}
- apiGroups:
- ""
resources:
{{- if .Values.operator.removeNodeTaints }}
# To remove node taints
- nodes
{{- end }}
{{- if .Values.operator.setNodeNetworkStatus }}
# To set NetworkUnavailable false on startup
- nodes/status
{{- end }}
verbs:
- patch
{{- end }}
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to perform LB IP allocation for BGP
- services/status
verbs:
- update
- patch
2022-08-12 04:20:19 -04:00
- apiGroups:
- ""
resources:
# to check apiserver connectivity
- namespaces
{{- if or .Values.ingressController.enabled .Values.gatewayAPI.enabled }}
2022-08-12 04:20:19 -04:00
- secrets
{{- end }}
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to perform the translation of a CNP that contains `ToGroup` to its endpoints
- services
- endpoints
verbs:
- get
- list
- watch
{{- if or .Values.ingressController.enabled .Values.gatewayAPI.enabled }}
2022-08-12 04:20:19 -04:00
- create
- update
- delete
- patch
2022-08-12 04:20:19 -04:00
{{- end }}
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
# Create auto-generated CNPs and CCNPs from Policies that have 'toGroups'
- create
- update
- deletecollection
# To update the status of the CNPs and CCNPs
- patch
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
verbs:
# Update the auto-generated CNPs and CCNPs status.
- patch
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
- ciliumidentities
verbs:
# To perform garbage collection of such resources
- delete
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
verbs:
# To synchronize garbage collection of such resources
- update
- apiGroups:
- cilium.io
resources:
- ciliumnodes
verbs:
- create
- update
- get
- list
- watch
{{- if include "hasDuration" .Values.operator.nodeGCInterval }}
2022-08-12 04:20:19 -04:00
# To perform CiliumNode garbage collector
- delete
{{- end }}
- apiGroups:
- cilium.io
resources:
- ciliumnodes/status
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumbgppeerconfigs
- ciliumbgpadvertisements
- ciliumbgpnodeconfigs
2022-08-12 04:20:19 -04:00
verbs:
- create
- update
- get
- list
- watch
- delete
- patch
2022-08-12 04:20:19 -04:00
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- update
resourceNames:
- ciliumloadbalancerippools.cilium.io
2022-08-12 04:20:19 -04:00
- ciliumbgppeeringpolicies.cilium.io
- ciliumbgpclusterconfigs.cilium.io
- ciliumbgppeerconfigs.cilium.io
- ciliumbgpadvertisements.cilium.io
- ciliumbgpnodeconfigs.cilium.io
- ciliumbgpnodeconfigoverrides.cilium.io
2022-08-12 04:20:19 -04:00
- ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io
- ciliumendpoints.cilium.io
- ciliumendpointslices.cilium.io
- ciliumenvoyconfigs.cilium.io
- ciliumexternalworkloads.cilium.io
- ciliumidentities.cilium.io
- ciliumlocalredirectpolicies.cilium.io
- ciliumnetworkpolicies.cilium.io
- ciliumnodes.cilium.io
- ciliumnodeconfigs.cilium.io
- ciliumcidrgroups.cilium.io
- ciliuml2announcementpolicies.cilium.io
- ciliumpodippools.cilium.io
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumpodippools
verbs:
- create
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools/status
verbs:
- patch
2022-08-12 04:20:19 -04:00
# For cilium-operator running in HA mode.
#
# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election
# between multiple running instances.
# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less
# common and fewer objects in the cluster watch "all Leases".
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
{{- if .Values.ingressController.enabled }}
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
2022-08-12 04:20:19 -04:00
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status # To update ingress status with load balancer IP.
verbs:
- update
{{- end }}
{{- if .Values.gatewayAPI.enabled }}
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- tlsroutes
- httproutes
- grpcroutes
- referencegrants
- referencepolicies
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
- grpcroutes/status
- tlsroutes/status
verbs:
- update
- patch
{{- end }}
2022-08-12 04:20:19 -04:00
{{- end }}