diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 index 62930d5dd..10df7bb1e 100644 --- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 @@ -93,6 +93,12 @@ rules: - apiGroups: ["auditregistration.k8s.io"] resources: ["auditsinks"] verbs: ["get", "list", "watch", "update"] + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "update"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update"] --- # Source: cert-manager/templates/rbac.yaml # Issuer controller role @@ -661,7 +667,7 @@ rules: --- # Source: cert-manager/templates/rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: cert-manager:leaderelection namespace: {{ cert_manager_leader_election_namespace }} @@ -739,7 +745,7 @@ subjects: # grant cert-manager permission to manage the leaderelection configmap in the # leader election namespace apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: name: cert-manager:leaderelection namespace: {{ cert_manager_leader_election_namespace }} @@ -751,7 +757,7 @@ metadata: app.kubernetes.io/version: "{{ cert_manager_version }}" roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: cert-manager:leaderelection subjects: - apiGroup: ""