Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 3dd3ff5dcdc72228f351dca35ab16aa7be4bb22f / . / cluster / kube / lib / cert-manager-rbac.libsonnet
blob: a0bb1fbeab1cb4d8bf2d2669f77e891ecd589fa2 [file] [log] [blame]
local kube = import "../../../kube/kube.libsonnet";
{
local top = self,
crs: {
cainjector: kube.ClusterRole("cert-manager-cainjector") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["get", "create", "update", "patch"],
},
{
apiGroups: ["admissionregistration.k8s.io"],
resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["apiregistration.k8s.io"],
resources: ["apiservices"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["apiextensions.k8s.io"],
resources: ["customresourcedefinitions"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["auditregistration.k8s.io"],
resources: ["auditsinks"],
verbs: ["get", "list", "watch", "update"],
},
],
},
controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["issuers", "issuers/status"],
verbs: ["update"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["clusterissuers", "clusterissuers/status"],
verbs: ["update"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["clusterissuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"],
verbs: ["update"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["certificates/finalizers", "certificaterequests/finalizers"],
verbs: ["update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders"],
verbs: ["create", "delete", "get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerOrders: kube.ClusterRole("cert-manager-controller-orders") {
rules: [
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders", "orders/status"],
verbs: ["update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders", "challenges"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["clusterissuers", "issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges"],
verbs: ["create", "delete"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["orders/finalizers"],
verbs: ["update"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") {
rules: [
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges", "challenges/status"],
verbs: ["update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["issuers", "clusterissuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
{
apiGroups: [""],
resources: ["pods", "services"],
verbs: ["get", "list", "watch", "create", "delete"],
},
{
apiGroups: ["networking.k8s.io"],
resources: ["ingresses"],
verbs: ["get", "list", "watch", "create", "delete", "update"],
},
{
apiGroups: ["networking.x-k8s.io"],
resources: ["httproutes"],
verbs: ["get", "list", "watch", "create", "delete", "update"],
},
{
apiGroups: ["route.openshift.io"],
resources: ["routes/custom-host"],
verbs: ["create"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges/finalizers"],
verbs: ["update"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch"],
},
],
},
controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests"],
verbs: ["create", "update", "delete"],
},
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["networking.k8s.io"],
resources: ["ingresses"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["networking.k8s.io"],
resources: ["ingresses/finalizers"],
verbs: ["update"],
},
{
apiGroups: ["networking.x-k8s.io"],
resources: ["gateways", "httproutes"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["networking.x-k8s.io"],
resources: ["gateways/finalizers", "httproutes/finalizers"],
verbs: ["update"],
},
{
apiGroups: [""],
resources: ["events"],
verbs: ["create", "patch"],
},
],
},
view: kube.ClusterRole("cert-manager-view") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "issuers"],
verbs: ["get", "list", "watch"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges", "orders"],
verbs: ["get", "list", "watch"],
},
],
},
edit: kube.ClusterRole("cert-manager-edit") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["certificates", "certificaterequests", "issuers"],
verbs: ["create", "delete", "deletecollection", "patch", "update"],
},
{
apiGroups: ["acme.cert-manager.io"],
resources: ["challenges", "orders"],
verbs: ["create", "delete", "deletecollection", "patch", "update"],
},
],
},
controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") {
rules: [
{
apiGroups: ["cert-manager.io"],
resources: ["signers"],
verbs: ["approve"],
},
],
},
controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") {
rules: [
{
apiGroups: ["certificates.k8s.io"],
resources: ["certificatesigningrequests"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: ["certificates.k8s.io"],
resources: ["certificatesigningrequests/status"],
verbs: ["update"],
},
{
apiGroups: ["certificates.k8s.io"],
resources: ["signers"],
verbs: ["sign"],
},
{
apiGroups: ["authorization.k8s.io"],
resources: ["subjectaccessreviews"],
verbs: ["create"],
},
],
},
webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") {
rules: [
{
apiGroups: ["authorization.k8s.io"],
resources: ["subjectaccessreviews"],
verbs: ["create"],
},
],
},
},
crbs: {
cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
roleRef_: top.crs.cainjector,
subjects_: [top.sas.cainjector],
},
controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") {
roleRef_: top.crs.controllerIssuers,
subjects_: [top.sas.certManager],
},
controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") {
roleRef_: top.crs.controllerClusterissuers,
subjects_: [top.sas.certManager],
},
controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") {
roleRef_: top.crs.controllerCertificates,
subjects_: [top.sas.certManager],
},
controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") {
roleRef_: top.crs.controllerOrders,
subjects_: [top.sas.certManager],
},
controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") {
roleRef_: top.crs.controllerChallenges,
subjects_: [top.sas.certManager],
},
controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") {
roleRef_: top.crs.controllerIngressShim,
subjects_: [top.sas.certManager],
},
controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") {
roleRef_: top.crs.controllerApproveCertManagerIo,
subjects_: [top.sas.certManager],
},
controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") {
roleRef_: top.crs.controllerCertificatesigningrequests,
subjects_: [top.sas.certManager],
},
webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") {
roleRef_: top.crs.webhookSubjectaccessreviews,
subjects_: [top.sas.webhook],
},
},
roles: {
cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") {
metadata+: top.env.metadata {
namespace: "kube-system",
},
rules: [
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["create"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["create"],
}
],
},
leaderelection: kube.Role("cert-manager:leaderelection") {
metadata+: top.env.metadata {
namespace: "kube-system",
},
rules: [
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: [""],
resources: ["configmaps"],
verbs: ["create"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["get", "update", "patch"],
},
{
apiGroups: ["coordination.k8s.io"],
resources: ["leases"],
verbs: ["create"],
},
],
},
webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") {
metadata+: top.env.metadata,
rules: [
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["get", "list", "watch", "update"],
},
{
apiGroups: [""],
resources: ["secrets"],
verbs: ["create"],
},
],
},
},
rbs: {
cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") {
metadata+: {
namespace: "kube-system",
},
roleRef_: top.roles.cainjectorLeaderelection,
subjects_: [top.sas.cainjector],
},
leaderelection: kube.RoleBinding("cert-manager:leaderelection") {
metadata+: {
namespace: "kube-system",
},
roleRef_: top.roles.leaderelection,
subjects_: [top.sas.certManager],
},
webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") {
metadata+: {
namespace: top.env.metadata.namespace,
},
roleRef_: top.roles.webhookDynamicServing,
subjects_: [top.sas.webhook],
},
},
}