--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ingress-nginx namespace: {{ ingress_nginx_namespace }} labels: app.kubernetes.io/name: ingress-nginx app.kubernetes.io/part-of: ingress-nginx rules: - apiGroups: [""] resources: ["namespaces"] verbs: ["get"] - apiGroups: [""] resources: ["configmaps", "pods", "secrets", "endpoints"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions", "networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions", "networking.k8s.io"] resources: ["ingresses/status"] verbs: ["update"] - apiGroups: ["networking.k8s.io"] resources: ["ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps"] # Defaults to "<election-id>-<ingress-class>" # Here: "<ingress-controller-leader>-<nginx>" # This has to be adapted if you change either parameter # when launching the nginx-ingress-controller. resourceNames: ["ingress-controller-leader-{{ ingress_nginx_class | default('nginx') }}"] verbs: ["get", "update"] - apiGroups: [""] resources: ["configmaps"] verbs: ["create"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] - apiGroups: ["policy"] resourceNames: ["ingress-nginx"] resources: ["podsecuritypolicies"] verbs: ["use"]