c12s-kubespray/roles/network_plugin/canal/templates/canal-cr-calico.yml.j2
Matthew Mosesohn c1fd468687 Add RBAC support for canal
Refactored how rbac_enabled is set
Added RBAC to ubuntu-canal-ha CI job
2017-09-01 10:45:37 +01:00

80 lines
1.3 KiB
Django/Jinja

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico
namespace: {{ system_namespace }}
rules:
- apiGroups: [""]
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- pods/status
verbs:
- update
- apiGroups: [""]
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups: [""]
resources:
- nodes
verbs:
- get
- list
- update
- watch
- apiGroups: ["extensions"]
resources:
- thirdpartyresources
verbs:
- create
- get
- list
- watch
- apiGroups: ["extensions"]
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups: ["projectcalico.org"]
resources:
- globalbgppeers
verbs:
- get
- list
- apiGroups: ["projectcalico.org"]
resources:
- globalconfigs
- globalbgpconfigs
verbs:
- create
- get
- list
- update
- watch
- apiGroups: ["projectcalico.org"]
resources:
- ippools
verbs:
- create
- get
- list
- update
- watch
- apiGroups: ["alpha.projectcalico.org"]
resources:
- systemnetworkpolicies
verbs:
- get
- list