88 lines
1.9 KiB
YAML
88 lines
1.9 KiB
YAML
|
---
|
||
|
# Source: calico/templates/rbac.yaml
|
||
|
|
||
|
# Include a clusterrole for the kube-controllers component,
|
||
|
# and bind it to the calico-kube-controllers serviceaccount.
|
||
|
kind: ClusterRole
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
metadata:
|
||
|
name: calico-kube-controllers
|
||
|
rules:
|
||
|
# Pods are monitored for changing labels.
|
||
|
# The node controller monitors Kubernetes nodes.
|
||
|
# Namespace and serviceaccount labels are used for policy.
|
||
|
- apiGroups: [""]
|
||
|
resources:
|
||
|
- pods
|
||
|
- nodes
|
||
|
- namespaces
|
||
|
- serviceaccounts
|
||
|
verbs:
|
||
|
- watch
|
||
|
- list
|
||
|
# Watch for changes to Kubernetes NetworkPolicies.
|
||
|
- apiGroups: ["networking.k8s.io"]
|
||
|
resources:
|
||
|
- networkpolicies
|
||
|
verbs:
|
||
|
- watch
|
||
|
- list
|
||
|
---
|
||
|
kind: ClusterRoleBinding
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
metadata:
|
||
|
name: calico-kube-controllers
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: ClusterRole
|
||
|
name: calico-kube-controllers
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: calico-kube-controllers
|
||
|
namespace: kube-system
|
||
|
---
|
||
|
# Include a clusterrole for the calico-node DaemonSet,
|
||
|
# and bind it to the calico-node serviceaccount.
|
||
|
kind: ClusterRole
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
metadata:
|
||
|
name: calico-node
|
||
|
rules:
|
||
|
# The CNI plugin needs to get pods, nodes, and namespaces.
|
||
|
- apiGroups: [""]
|
||
|
resources:
|
||
|
- pods
|
||
|
- nodes
|
||
|
- namespaces
|
||
|
verbs:
|
||
|
- get
|
||
|
- apiGroups: [""]
|
||
|
resources:
|
||
|
- endpoints
|
||
|
- services
|
||
|
verbs:
|
||
|
# Used to discover service IPs for advertisement.
|
||
|
- watch
|
||
|
- list
|
||
|
- apiGroups: [""]
|
||
|
resources:
|
||
|
- nodes/status
|
||
|
verbs:
|
||
|
# Needed for clearing NodeNetworkUnavailable flag.
|
||
|
- patch
|
||
|
---
|
||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
kind: ClusterRoleBinding
|
||
|
metadata:
|
||
|
name: calico-node
|
||
|
roleRef:
|
||
|
apiGroup: rbac.authorization.k8s.io
|
||
|
kind: ClusterRole
|
||
|
name: calico-node
|
||
|
subjects:
|
||
|
- kind: ServiceAccount
|
||
|
name: calico-node
|
||
|
namespace: kube-system
|
||
|
|
||
|
|