--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cilium-operator rules: - apiGroups: - "" resources: # to automatically delete [core|kube]dns pods so that are starting to being # managed by Cilium - pods verbs: - get - list - watch - delete - apiGroups: - "" resources: - nodes verbs: - list - watch - apiGroups: - "" resources: # To remove node taints - nodes # To set NetworkUnavailable false on startup - nodes/status verbs: - patch - apiGroups: - discovery.k8s.io resources: - endpointslices verbs: - get - list - watch - apiGroups: - "" resources: - services verbs: - get - list - watch - apiGroups: - "" resources: # to perform LB IP allocation for BGP - services/status verbs: - update - patch - apiGroups: - "" resources: # to perform the translation of a CNP that contains `ToGroup` to its endpoints - services - endpoints # to check apiserver connectivity - namespaces verbs: - get - list - watch - apiGroups: - cilium.io resources: - ciliumnetworkpolicies - ciliumnetworkpolicies/status - ciliumnetworkpolicies/finalizers - ciliumclusterwidenetworkpolicies - ciliumclusterwidenetworkpolicies/status - ciliumclusterwidenetworkpolicies/finalizers - ciliumendpoints - ciliumendpoints/status - ciliumendpoints/finalizers - ciliumnodes - ciliumnodes/status - ciliumnodes/finalizers - ciliumidentities - ciliumidentities/status - ciliumidentities/finalizers - ciliumlocalredirectpolicies - ciliumlocalredirectpolicies/status - ciliumlocalredirectpolicies/finalizers {% if cilium_version | regex_replace('v') is version('1.11', '>=') %} - ciliumendpointslices {% endif %} {% if cilium_version | regex_replace('v') is version('1.12', '>=') %} - ciliumbgploadbalancerippools - ciliumloadbalancerippools - ciliumloadbalancerippools/status - ciliumbgppeeringpolicies - ciliumenvoyconfigs {% endif %} verbs: - '*' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create - get - list - update - watch # For cilium-operator running in HA mode. # # Cilium operator running in HA mode requires the use of ResourceLock for Leader Election # between multiple running instances. # The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less # common and fewer objects in the cluster watch "all Leases". - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update {% if cilium_version | regex_replace('v') is version('1.12', '>=') %} - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - update resourceNames: - ciliumbgploadbalancerippools.cilium.io - ciliumbgppeeringpolicies.cilium.io - ciliumclusterwideenvoyconfigs.cilium.io - ciliumclusterwidenetworkpolicies.cilium.io - ciliumegressgatewaypolicies.cilium.io - ciliumegressnatpolicies.cilium.io - ciliumendpoints.cilium.io - ciliumendpointslices.cilium.io - ciliumenvoyconfigs.cilium.io - ciliumexternalworkloads.cilium.io - ciliumidentities.cilium.io - ciliumlocalredirectpolicies.cilium.io - ciliumnetworkpolicies.cilium.io - ciliumnodes.cilium.io {% endif %} {% for rules in cilium_clusterrole_rules_operator_extra_vars %} - apiGroups: {% for api in rules['apiGroups'] %} - {{ api }} {% endfor %} resources: {% for resource in rules['resources'] %} - {{ resource }} {% endfor %} verbs: {% for verb in rules['verbs'] %} - {{ verb }} {% endfor %} {% if 'resourceNames' in rules %} resourceNames: {% for resourceName in rules['resourceNames'] %} - {{ resourceName }} {% endfor %} {% endif %} {% endfor %}