{{- if .Values.preflight.enabled }} {{- /* Keep file in sync with cilium-agent/clusterrole.yaml */ -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-pre-flight rules: - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - get - list - watch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - "" resources: - namespaces - services - pods - endpoints - nodes verbs: - get - list - watch {{- if .Values.annotateK8sNode }} - apiGroups: - "" resources: - nodes/status verbs: # To annotate the k8s node with Cilium's metadata - patch {{- end }} - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - list - watch # This is used when validating policies in preflight. This will need to stay # until we figure out how to avoid "get" inside the preflight, and then # should be removed ideally. - get {{- if eq "k8s" .Values.tls.secretsBackend }} - apiGroups: - "" resources: - secrets verbs: - get {{- end }} - apiGroups: - cilium.io resources: - ciliumbgploadbalancerippools - ciliumbgppeeringpolicies - ciliumclusterwideenvoyconfigs - ciliumclusterwidenetworkpolicies - ciliumegressgatewaypolicies - ciliumegressnatpolicies - ciliumendpoints - ciliumendpointslices - ciliumenvoyconfigs - ciliumidentities - ciliumlocalredirectpolicies - ciliumnetworkpolicies - ciliumnodes verbs: - list - watch - apiGroups: - cilium.io resources: - ciliumidentities - ciliumendpoints - ciliumnodes verbs: - create - apiGroups: - cilium.io # To synchronize garbage collection of such resources resources: - ciliumidentities verbs: - update - apiGroups: - cilium.io resources: - ciliumendpoints verbs: - delete - get - apiGroups: - cilium.io resources: - ciliumnodes - ciliumnodes/status verbs: - get - update - apiGroups: - cilium.io resources: - ciliumnetworkpolicies/status - ciliumclusterwidenetworkpolicies/status - ciliumendpoints/status - ciliumendpoints verbs: - patch {{- end }}