Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 3dd3ff5dcdc72228f351dca35ab16aa7be4bb22f / . / cluster / kube / lib / cert-manager-rbac.libsonnet
blob: a0bb1fbeab1cb4d8bf2d2669f77e891ecd589fa2 [file] [log] [blame]
Serge Bazanski3dd3ff52023-03-31 22:40:09 +0000[diff] [blame^]1local kube = import "../../../kube/kube.libsonnet";
2{
3 local top = self,
4 crs: {
5 cainjector: kube.ClusterRole("cert-manager-cainjector") {
6 rules: [
7 {
8 apiGroups: ["cert-manager.io"],
9 resources: ["certificates"],
10 verbs: ["get", "list", "watch"],
11 },
12 {
13 apiGroups: [""],
14 resources: ["secrets"],
15 verbs: ["get", "list", "watch"],
16 },
17 {
18 apiGroups: [""],
19 resources: ["events"],
20 verbs: ["get", "create", "update", "patch"],
21 },
22 {
23 apiGroups: ["admissionregistration.k8s.io"],
24 resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"],
25 verbs: ["get", "list", "watch", "update"],
26 },
27 {
28 apiGroups: ["apiregistration.k8s.io"],
29 resources: ["apiservices"],
30 verbs: ["get", "list", "watch", "update"],
31 },
32 {
33 apiGroups: ["apiextensions.k8s.io"],
34 resources: ["customresourcedefinitions"],
35 verbs: ["get", "list", "watch", "update"],
36 },
37 {
38 apiGroups: ["auditregistration.k8s.io"],
39 resources: ["auditsinks"],
40 verbs: ["get", "list", "watch", "update"],
41 },
42 ],
43 },
44 controllerIssuers: kube.ClusterRole("cert-manager-controller-issuers") {
45 rules: [
46 {
47 apiGroups: ["cert-manager.io"],
48 resources: ["issuers", "issuers/status"],
49 verbs: ["update"],
50 },
51 {
52 apiGroups: ["cert-manager.io"],
53 resources: ["issuers"],
54 verbs: ["get", "list", "watch"],
55 },
56 {
57 apiGroups: [""],
58 resources: ["secrets"],
59 verbs: ["get", "list", "watch", "create", "update", "delete"],
60 },
61 {
62 apiGroups: [""],
63 resources: ["events"],
64 verbs: ["create", "patch"],
65 },
66 ],
67 },
68 controllerClusterissuers: kube.ClusterRole("cert-manager-controller-clusterissuers") {
69 rules: [
70 {
71 apiGroups: ["cert-manager.io"],
72 resources: ["clusterissuers", "clusterissuers/status"],
73 verbs: ["update"],
74 },
75 {
76 apiGroups: ["cert-manager.io"],
77 resources: ["clusterissuers"],
78 verbs: ["get", "list", "watch"],
79 },
80 {
81 apiGroups: [""],
82 resources: ["secrets"],
83 verbs: ["get", "list", "watch", "create", "update", "delete"],
84 },
85 {
86 apiGroups: [""],
87 resources: ["events"],
88 verbs: ["create", "patch"],
89 },
90 ],
91 },
92 controllerCertificates: kube.ClusterRole("cert-manager-controller-certificates") {
93 rules: [
94 {
95 apiGroups: ["cert-manager.io"],
96 resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"],
97 verbs: ["update"],
98 },
99 {
100 apiGroups: ["cert-manager.io"],
101 resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"],
102 verbs: ["get", "list", "watch"],
103 },
104 {
105 apiGroups: ["cert-manager.io"],
106 resources: ["certificates/finalizers", "certificaterequests/finalizers"],
107 verbs: ["update"],
108 },
109 {
110 apiGroups: ["acme.cert-manager.io"],
111 resources: ["orders"],
112 verbs: ["create", "delete", "get", "list", "watch"],
113 },
114 {
115 apiGroups: [""],
116 resources: ["secrets"],
117 verbs: ["get", "list", "watch", "create", "update", "delete"],
118 },
119 {
120 apiGroups: [""],
121 resources: ["events"],
122 verbs: ["create", "patch"],
123 },
124 ],
125 },
126 controllerOrders: kube.ClusterRole("cert-manager-controller-orders") {
127 rules: [
128 {
129 apiGroups: ["acme.cert-manager.io"],
130 resources: ["orders", "orders/status"],
131 verbs: ["update"],
132 },
133 {
134 apiGroups: ["acme.cert-manager.io"],
135 resources: ["orders", "challenges"],
136 verbs: ["get", "list", "watch"],
137 },
138 {
139 apiGroups: ["cert-manager.io"],
140 resources: ["clusterissuers", "issuers"],
141 verbs: ["get", "list", "watch"],
142 },
143 {
144 apiGroups: ["acme.cert-manager.io"],
145 resources: ["challenges"],
146 verbs: ["create", "delete"],
147 },
148 {
149 apiGroups: ["acme.cert-manager.io"],
150 resources: ["orders/finalizers"],
151 verbs: ["update"],
152 },
153 {
154 apiGroups: [""],
155 resources: ["secrets"],
156 verbs: ["get", "list", "watch"],
157 },
158 {
159 apiGroups: [""],
160 resources: ["events"],
161 verbs: ["create", "patch"],
162 },
163 ],
164 },
165 controllerChallenges: kube.ClusterRole("cert-manager-controller-challenges") {
166 rules: [
167 {
168 apiGroups: ["acme.cert-manager.io"],
169 resources: ["challenges", "challenges/status"],
170 verbs: ["update"],
171 },
172 {
173 apiGroups: ["acme.cert-manager.io"],
174 resources: ["challenges"],
175 verbs: ["get", "list", "watch"],
176 },
177 {
178 apiGroups: ["cert-manager.io"],
179 resources: ["issuers", "clusterissuers"],
180 verbs: ["get", "list", "watch"],
181 },
182 {
183 apiGroups: [""],
184 resources: ["secrets"],
185 verbs: ["get", "list", "watch"],
186 },
187 {
188 apiGroups: [""],
189 resources: ["events"],
190 verbs: ["create", "patch"],
191 },
192 {
193 apiGroups: [""],
194 resources: ["pods", "services"],
195 verbs: ["get", "list", "watch", "create", "delete"],
196 },
197 {
198 apiGroups: ["networking.k8s.io"],
199 resources: ["ingresses"],
200 verbs: ["get", "list", "watch", "create", "delete", "update"],
201 },
202 {
203 apiGroups: ["networking.x-k8s.io"],
204 resources: ["httproutes"],
205 verbs: ["get", "list", "watch", "create", "delete", "update"],
206 },
207 {
208 apiGroups: ["route.openshift.io"],
209 resources: ["routes/custom-host"],
210 verbs: ["create"],
211 },
212 {
213 apiGroups: ["acme.cert-manager.io"],
214 resources: ["challenges/finalizers"],
215 verbs: ["update"],
216 },
217 {
218 apiGroups: [""],
219 resources: ["secrets"],
220 verbs: ["get", "list", "watch"],
221 },
222 ],
223 },
224 controllerIngressShim: kube.ClusterRole("cert-manager-controller-ingress-shim") {
225 rules: [
226 {
227 apiGroups: ["cert-manager.io"],
228 resources: ["certificates", "certificaterequests"],
229 verbs: ["create", "update", "delete"],
230 },
231 {
232 apiGroups: ["cert-manager.io"],
233 resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"],
234 verbs: ["get", "list", "watch"],
235 },
236 {
237 apiGroups: ["networking.k8s.io"],
238 resources: ["ingresses"],
239 verbs: ["get", "list", "watch"],
240 },
241 {
242 apiGroups: ["networking.k8s.io"],
243 resources: ["ingresses/finalizers"],
244 verbs: ["update"],
245 },
246 {
247 apiGroups: ["networking.x-k8s.io"],
248 resources: ["gateways", "httproutes"],
249 verbs: ["get", "list", "watch"],
250 },
251 {
252 apiGroups: ["networking.x-k8s.io"],
253 resources: ["gateways/finalizers", "httproutes/finalizers"],
254 verbs: ["update"],
255 },
256 {
257 apiGroups: [""],
258 resources: ["events"],
259 verbs: ["create", "patch"],
260 },
261 ],
262 },
263 view: kube.ClusterRole("cert-manager-view") {
264 rules: [
265 {
266 apiGroups: ["cert-manager.io"],
267 resources: ["certificates", "certificaterequests", "issuers"],
268 verbs: ["get", "list", "watch"],
269 },
270 {
271 apiGroups: ["acme.cert-manager.io"],
272 resources: ["challenges", "orders"],
273 verbs: ["get", "list", "watch"],
274 },
275 ],
276 },
277 edit: kube.ClusterRole("cert-manager-edit") {
278 rules: [
279 {
280 apiGroups: ["cert-manager.io"],
281 resources: ["certificates", "certificaterequests", "issuers"],
282 verbs: ["create", "delete", "deletecollection", "patch", "update"],
283 },
284 {
285 apiGroups: ["acme.cert-manager.io"],
286 resources: ["challenges", "orders"],
287 verbs: ["create", "delete", "deletecollection", "patch", "update"],
288 },
289 ],
290 },
291 controllerApproveCertManagerIo: kube.ClusterRole("cert-manager-controller-approve:cert-manager-io") {
292 rules: [
293 {
294 apiGroups: ["cert-manager.io"],
295 resources: ["signers"],
296 verbs: ["approve"],
297 },
298 ],
299 },
300 controllerCertificatesigningrequests: kube.ClusterRole("cert-manager-controller-certificatesigningrequests") {
301 rules: [
302 {
303 apiGroups: ["certificates.k8s.io"],
304 resources: ["certificatesigningrequests"],
305 verbs: ["get", "list", "watch", "update"],
306 },
307 {
308 apiGroups: ["certificates.k8s.io"],
309 resources: ["certificatesigningrequests/status"],
310 verbs: ["update"],
311 },
312 {
313 apiGroups: ["certificates.k8s.io"],
314 resources: ["signers"],
315 verbs: ["sign"],
316 },
317 {
318 apiGroups: ["authorization.k8s.io"],
319 resources: ["subjectaccessreviews"],
320 verbs: ["create"],
321 },
322 ],
323 },
324 webhookSubjectaccessreviews: kube.ClusterRole("cert-manager-webhook:subjectaccessreviews") {
325 rules: [
326 {
327 apiGroups: ["authorization.k8s.io"],
328 resources: ["subjectaccessreviews"],
329 verbs: ["create"],
330 },
331 ],
332 },
333 },
334 crbs: {
335 cainjector: kube.ClusterRoleBinding("cert-manager-cainjector") {
336 roleRef_: top.crs.cainjector,
337 subjects_: [top.sas.cainjector],
338 },
339 controllerIssuers: kube.ClusterRoleBinding("cert-manager-controller-issuers") {
340 roleRef_: top.crs.controllerIssuers,
341 subjects_: [top.sas.certManager],
342 },
343 controllerClusterissuers: kube.ClusterRoleBinding("cert-manager-controller-clusterissuers") {
344 roleRef_: top.crs.controllerClusterissuers,
345 subjects_: [top.sas.certManager],
346 },
347 controllerCertificates: kube.ClusterRoleBinding("cert-manager-controller-certificates") {
348 roleRef_: top.crs.controllerCertificates,
349 subjects_: [top.sas.certManager],
350 },
351 controllerOrders: kube.ClusterRoleBinding("cert-manager-controller-orders") {
352 roleRef_: top.crs.controllerOrders,
353 subjects_: [top.sas.certManager],
354 },
355 controllerChallenges: kube.ClusterRoleBinding("cert-manager-controller-challenges") {
356 roleRef_: top.crs.controllerChallenges,
357 subjects_: [top.sas.certManager],
358 },
359 controllerIngressShim: kube.ClusterRoleBinding("cert-manager-controller-ingress-shim") {
360 roleRef_: top.crs.controllerIngressShim,
361 subjects_: [top.sas.certManager],
362 },
363 controllerApproveCertManagerIo: kube.ClusterRoleBinding("cert-manager-controller-approve:cert-manager-io") {
364 roleRef_: top.crs.controllerApproveCertManagerIo,
365 subjects_: [top.sas.certManager],
366 },
367 controllerCertificatesigningrequests: kube.ClusterRoleBinding("cert-manager-controller-certificatesigningrequests") {
368 roleRef_: top.crs.controllerCertificatesigningrequests,
369 subjects_: [top.sas.certManager],
370 },
371 webhookSubjectaccessreviews: kube.ClusterRoleBinding("cert-manager-webhook:subjectaccessreviews") {
372 roleRef_: top.crs.webhookSubjectaccessreviews,
373 subjects_: [top.sas.webhook],
374 },
375 },
376 roles: {
377 cainjectorLeaderelection: kube.Role("cert-manager-cainjector:leaderelection") {
378 metadata+: top.env.metadata {
379 namespace: "kube-system",
380 },
381 rules: [
382 {
383 apiGroups: [""],
384 resources: ["configmaps"],
385 verbs: ["get", "update", "patch"],
386 },
387 {
388 apiGroups: [""],
389 resources: ["configmaps"],
390 verbs: ["create"],
391 },
392 {
393 apiGroups: ["coordination.k8s.io"],
394 resources: ["leases"],
395 verbs: ["get", "update", "patch"],
396 },
397 {
398 apiGroups: ["coordination.k8s.io"],
399 resources: ["leases"],
400 verbs: ["create"],
401 }
402 ],
403 },
404 leaderelection: kube.Role("cert-manager:leaderelection") {
405 metadata+: top.env.metadata {
406 namespace: "kube-system",
407 },
408 rules: [
409 {
410 apiGroups: [""],
411 resources: ["configmaps"],
412 verbs: ["get", "update", "patch"],
413 },
414 {
415 apiGroups: [""],
416 resources: ["configmaps"],
417 verbs: ["create"],
418 },
419 {
420 apiGroups: ["coordination.k8s.io"],
421 resources: ["leases"],
422 verbs: ["get", "update", "patch"],
423 },
424 {
425 apiGroups: ["coordination.k8s.io"],
426 resources: ["leases"],
427 verbs: ["create"],
428 },
429 ],
430 },
431 webhookDynamicServing: kube.Role("cert-manager-webhook:dynamic-serving") {
432 metadata+: top.env.metadata,
433 rules: [
434 {
435 apiGroups: [""],
436 resources: ["secrets"],
437 verbs: ["get", "list", "watch", "update"],
438 },
439 {
440 apiGroups: [""],
441 resources: ["secrets"],
442 verbs: ["create"],
443 },
444 ],
445 },
446 },
447 rbs: {
448 cainjectorLeaderelection: kube.RoleBinding("cert-manager-cainjector:leaderelection") {
449 metadata+: {
450 namespace: "kube-system",
451 },
452 roleRef_: top.roles.cainjectorLeaderelection,
453 subjects_: [top.sas.cainjector],
454 },
455 leaderelection: kube.RoleBinding("cert-manager:leaderelection") {
456 metadata+: {
457 namespace: "kube-system",
458 },
459 roleRef_: top.roles.leaderelection,
460 subjects_: [top.sas.certManager],
461 },
462 webhookDynamicServing: kube.RoleBinding("cert-manager-webhook:dynamic-serving") {
463 metadata+: {
464 namespace: top.env.metadata.namespace,
465 },
466 roleRef_: top.roles.webhookDynamicServing,
467 subjects_: [top.sas.webhook],
468 },
469 },
470}