kubespray/roles/network_plugin/cilium/templates/cilium-cr.yml.j2

158 lines
2.9 KiB
Plaintext
Raw Normal View History

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium-operator
rules:
- apiGroups:
- ""
resources:
# to automatically delete [core|kube]dns pods so that are starting to being
# managed by Cilium
- pods
verbs:
- get
- list
- watch
- delete
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
# to automatically read from k8s and import the node's pod CIDR to cilium's
# etcd so all nodes know how to reach another pod running in in a different
# node.
- nodes
# to perform the translation of a CNP that contains `ToGroup` to its endpoints
- services
- endpoints
# to check apiserver connectivity
- namespaces
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- componentstatuses
{% endif %}
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints
- ciliumendpoints/status
{% if cilium_version | regex_replace('v') is version('1.6', '>=') %}
- ciliumnodes
- ciliumnodes/status
- ciliumidentities
- ciliumidentities/status
{% endif %}
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- ingresses
{% endif %}
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- nodes
- endpoints
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- componentstatuses
{% endif %}
verbs:
- get
- list
- watch
{% if cilium_version | regex_replace('v') is version('1.7', '<') %}
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- create
- get
- list
- watch
{% endif %}
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumnetworkpolicies/status
{% if cilium_version | regex_replace('v') is version('1.7', '>=') %}
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
{% endif %}
- ciliumendpoints
- ciliumendpoints/status
{% if cilium_version | regex_replace('v') is version('1.6', '>=') %}
- ciliumnodes
- ciliumnodes/status
- ciliumidentities
- ciliumidentities/status
{% endif %}
verbs:
- '*'