{{- if .Values.managerRbac.create }} {{- /* This file contains the various namespace-scoped roles + bindings that the traffic-manager needs. This will likely expand over time as we move more things from the clients domain into the traffic-manager. But the good news there is that it will require less permissions in clientRbac.yaml */}} {{- $managerNamespace := include "traffic-manager.namespace" $}} {{- $namespaces := fromJsonArray (include "traffic-manager.namespaces" $)}} {{- if $namespaces }} {{- $interceptEnabled := .Values.agentInjector.enabled}} {{- $argoRolloutsEnabled := .Values.workloads.argoRollouts.enabled}} {{- $allNamespaces := uniq (append $namespaces $managerNamespace)}} {{- range $allNamespaces }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: traffic-manager namespace: {{ . }} labels: {{- include "telepresence.labels" $ | nindent 4 }} rules: - apiGroups: - "" resources: - services verbs: - update {{/* Only needed for upgrade of older versions */}} - apiGroups: - "" resources: - services - pods verbs: - list - get - watch {{- if $interceptEnabled }} - apiGroups: - "" resources: - pods/eviction verbs: - create {{- end }} - apiGroups: - "" resources: - pods/log verbs: - get - apiGroups: - "" resources: - configmaps verbs: - list - get - watch resourceNames: {{- if eq . $managerNamespace }} - {{ include "traffic-manager.name" $ }} {{- end }} - apiGroups: - "apps" resources: - deployments - replicasets - statefulsets verbs: - get - list - watch {{- if $interceptEnabled }} - patch {{- end }} {{- if $argoRolloutsEnabled }} - apiGroups: - "argoproj.io" resources: - rollouts verbs: - get - list - watch {{- if $interceptEnabled }} - patch {{- end }} {{- end }} - apiGroups: - "events.k8s.io" resources: - events verbs: - get - watch {{- if eq . $managerNamespace }} {{- /* Must be able to get the manager namespace in order to get the install-id */}} - apiGroups: - "" resources: - namespaces resourceNames: - {{ . }} verbs: - get {{- if and (eq (int $.Capabilities.KubeVersion.Major) 1) (lt (int $.Capabilities.KubeVersion.Minor) 33) }} {{- /* Must be able to make an unsuccessful attempt to create a dummy service in order to receive the error message containing correct service CIDR */}} - apiGroups: - "" resources: - services verbs: - create {{- end }} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: traffic-manager namespace: {{ . }} labels: {{- include "telepresence.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: traffic-manager subjects: - kind: ServiceAccount name: traffic-manager namespace: {{ $managerNamespace }} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: traffic-manager-cluster-wide-{{ $managerNamespace }} labels: {{- include "telepresence.labels" $ | nindent 4 }} rules: - apiGroups: - "networking.k8s.io" resources: - servicecidrs verbs: - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: traffic-manager-cluster-wide-{{ $managerNamespace }} labels: {{- include "telepresence.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traffic-manager-cluster-wide-{{ $managerNamespace }} subjects: - kind: ServiceAccount name: traffic-manager namespace: {{ $managerNamespace }} {{- else }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: namespace: {{ $managerNamespace }} name: traffic-manager labels: {{- include "telepresence.labels" $ | nindent 4 }} rules: - apiGroups: - "" resources: - services verbs: - create - apiGroups: - "" resources: - configmaps verbs: - get - list - watch resourceNames: - {{ include "traffic-manager.name" $ }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: traffic-manager namespace: {{ $managerNamespace }} labels: {{- include "telepresence.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: traffic-manager subjects: - kind: ServiceAccount name: traffic-manager namespace: {{ $managerNamespace }} {{- end }} {{- end }}