{{- if .Values.global.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ template "cert-manager.fullname" . }}:leaderelection namespace: {{ .Values.global.leaderElection.namespace }} labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["coordination.k8s.io"] resources: ["leases"] resourceNames: ["cert-manager-controller"] verbs: ["get", "update", "patch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["create"] --- # grant cert-manager permission to manage the leaderelection configmap in the # leader election namespace apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "cert-manager.fullname" . }}:leaderelection namespace: {{ .Values.global.leaderElection.namespace }} labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ template "cert-manager.fullname" . }}:leaderelection subjects: - apiGroup: "" kind: ServiceAccount name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} --- # Issuer controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-issuers labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["cert-manager.io"] resources: ["issuers", "issuers/status"] verbs: ["update", "patch"] - apiGroups: ["cert-manager.io"] resources: ["issuers"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # ClusterIssuer controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["cert-manager.io"] resources: ["clusterissuers", "clusterissuers/status"] verbs: ["update", "patch"] - apiGroups: ["cert-manager.io"] resources: ["clusterissuers"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # Certificates controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificates labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] verbs: ["update", "patch"] - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] verbs: ["get", "list", "watch"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["cert-manager.io"] resources: ["certificates/finalizers", "certificaterequests/finalizers"] verbs: ["update"] - apiGroups: ["acme.cert-manager.io"] resources: ["orders"] verbs: ["create", "delete", "get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "create", "update", "delete", "patch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # Orders controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-orders labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "orders/status"] verbs: ["update", "patch"] - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "challenges"] verbs: ["get", "list", "watch"] - apiGroups: ["cert-manager.io"] resources: ["clusterissuers", "issuers"] verbs: ["get", "list", "watch"] - apiGroups: ["acme.cert-manager.io"] resources: ["challenges"] verbs: ["create", "delete"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["acme.cert-manager.io"] resources: ["orders/finalizers"] verbs: ["update"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # Challenges controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-challenges labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} rules: # Use to update challenge resource status - apiGroups: ["acme.cert-manager.io"] resources: ["challenges", "challenges/status"] verbs: ["update", "patch"] # Used to watch challenge resources - apiGroups: ["acme.cert-manager.io"] resources: ["challenges"] verbs: ["get", "list", "watch"] # Used to watch challenges, issuer and clusterissuer resources - apiGroups: ["cert-manager.io"] resources: ["issuers", "clusterissuers"] verbs: ["get", "list", "watch"] # Need to be able to retrieve ACME account private key to complete challenges - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] # Used to create events - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] # HTTP01 rules - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch", "create", "delete", "update"] - apiGroups: [ "gateway.networking.k8s.io" ] resources: [ "httproutes" ] verbs: ["get", "list", "watch", "create", "delete", "update"] # We require the ability to specify a custom hostname when we are creating # new ingress resources. # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148 - apiGroups: ["route.openshift.io"] resources: ["routes/custom-host"] verbs: ["create"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["acme.cert-manager.io"] resources: ["challenges/finalizers"] verbs: ["update"] # DNS01 rules (duplicated above) - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] --- # ingress-shim controller role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests"] verbs: ["create", "update", "delete"] - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["networking.k8s.io"] resources: ["ingresses/finalizers"] verbs: ["update"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gateways", "httproutes"] verbs: ["get", "list", "watch"] - apiGroups: ["gateway.networking.k8s.io"] resources: ["gateways/finalizers", "httproutes/finalizers"] verbs: ["update"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-issuers labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-issuers subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificates labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-certificates subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-orders labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-orders subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-challenges labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-challenges subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-view labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} {{- if .Values.global.rbac.aggregateClusterRoles }} rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" {{- end }} rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "issuers"] verbs: ["get", "list", "watch"] - apiGroups: ["acme.cert-manager.io"] resources: ["challenges", "orders"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-edit labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} {{- if .Values.global.rbac.aggregateClusterRoles }} rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" {{- end }} rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "issuers"] verbs: ["create", "delete", "deletecollection", "patch", "update"] - apiGroups: ["cert-manager.io"] resources: ["certificates/status"] verbs: ["update"] - apiGroups: ["acme.cert-manager.io"] resources: ["challenges", "orders"] verbs: ["create", "delete", "deletecollection", "patch", "update"] --- # Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["cert-manager.io"] resources: ["signers"] verbs: ["approve"] resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount --- # Permission to: # - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers # - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" {{- include "labels" . | nindent 4 }} rules: - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests/status"] verbs: ["update", "patch"] - apiGroups: ["certificates.k8s.io"] resources: ["signers"] resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"] verbs: ["sign"] - apiGroups: ["authorization.k8s.io"] resources: ["subjectaccessreviews"] verbs: ["create"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "cert-manager" {{- include "labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} kind: ServiceAccount {{- end }}