1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: v1
16kind: Namespace
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 labels:
21 cnrm.cloud.google.com/system: "true"
22 name: cnrm-system
23---
24apiVersion: v1
25kind: ServiceAccount
26metadata:
27 annotations:
28 cnrm.cloud.google.com/version: 1.106.0
29 labels:
30 cnrm.cloud.google.com/system: "true"
31 name: cnrm-deletiondefender
32 namespace: cnrm-system
33---
34apiVersion: v1
35kind: ServiceAccount
36metadata:
37 annotations:
38 cnrm.cloud.google.com/version: 1.106.0
39 labels:
40 cnrm.cloud.google.com/system: "true"
41 name: cnrm-resource-stats-recorder
42 namespace: cnrm-system
43---
44apiVersion: v1
45kind: ServiceAccount
46metadata:
47 annotations:
48 cnrm.cloud.google.com/version: 1.106.0
49 labels:
50 cnrm.cloud.google.com/system: "true"
51 name: cnrm-unmanaged-detector
52 namespace: cnrm-system
53---
54apiVersion: v1
55kind: ServiceAccount
56metadata:
57 annotations:
58 cnrm.cloud.google.com/version: 1.106.0
59 labels:
60 cnrm.cloud.google.com/system: "true"
61 name: cnrm-webhook-manager
62 namespace: cnrm-system
63---
64apiVersion: rbac.authorization.k8s.io/v1
65kind: Role
66metadata:
67 annotations:
68 cnrm.cloud.google.com/version: 1.106.0
69 labels:
70 cnrm.cloud.google.com/system: "true"
71 name: cnrm-deletiondefender-cnrm-system-role
72 namespace: cnrm-system
73rules:
74- apiGroups:
75 - ""
76 resources:
77 - secrets
78 verbs:
79 - get
80 - create
81 - update
82 - patch
83 - delete
84---
85apiVersion: rbac.authorization.k8s.io/v1
86kind: Role
87metadata:
88 annotations:
89 cnrm.cloud.google.com/version: 1.106.0
90 labels:
91 cnrm.cloud.google.com/system: "true"
92 name: cnrm-webhook-cnrm-system-role
93 namespace: cnrm-system
94rules:
95- apiGroups:
96 - ""
97 resources:
98 - secrets
99 verbs:
100 - get
101 - create
102 - update
103 - patch
104 - delete
105---
106apiVersion: rbac.authorization.k8s.io/v1
107kind: ClusterRole
108metadata:
109 annotations:
110 cnrm.cloud.google.com/version: 1.106.0
111 creationTimestamp: null
112 labels:
113 cnrm.cloud.google.com/system: "true"
114 rbac.authorization.k8s.io/aggregate-to-admin: "true"
115 rbac.authorization.k8s.io/aggregate-to-edit: "true"
116 name: cnrm-admin
117rules:
118- apiGroups:
119 - accesscontextmanager.cnrm.cloud.google.com
120 resources:
121 - '*'
122 verbs:
123 - get
124 - list
125 - watch
126 - create
127 - update
128 - patch
129 - delete
130- apiGroups:
131 - alloydb.cnrm.cloud.google.com
132 resources:
133 - '*'
134 verbs:
135 - get
136 - list
137 - watch
138 - create
139 - update
140 - patch
141 - delete
142- apiGroups:
143 - apigateway.cnrm.cloud.google.com
144 resources:
145 - '*'
146 verbs:
147 - get
148 - list
149 - watch
150 - create
151 - update
152 - patch
153 - delete
154- apiGroups:
155 - apigee.cnrm.cloud.google.com
156 resources:
157 - '*'
158 verbs:
159 - get
160 - list
161 - watch
162 - create
163 - update
164 - patch
165 - delete
166- apiGroups:
167 - appengine.cnrm.cloud.google.com
168 resources:
169 - '*'
170 verbs:
171 - get
172 - list
173 - watch
174 - create
175 - update
176 - patch
177 - delete
178- apiGroups:
179 - artifactregistry.cnrm.cloud.google.com
180 resources:
181 - '*'
182 verbs:
183 - get
184 - list
185 - watch
186 - create
187 - update
188 - patch
189 - delete
190- apiGroups:
191 - beyondcorp.cnrm.cloud.google.com
192 resources:
193 - '*'
194 verbs:
195 - get
196 - list
197 - watch
198 - create
199 - update
200 - patch
201 - delete
202- apiGroups:
203 - bigquery.cnrm.cloud.google.com
204 resources:
205 - '*'
206 verbs:
207 - get
208 - list
209 - watch
210 - create
211 - update
212 - patch
213 - delete
214- apiGroups:
215 - bigqueryanalyticshub.cnrm.cloud.google.com
216 resources:
217 - '*'
218 verbs:
219 - get
220 - list
221 - watch
222 - create
223 - update
224 - patch
225 - delete
226- apiGroups:
227 - bigqueryconnection.cnrm.cloud.google.com
228 resources:
229 - '*'
230 verbs:
231 - get
232 - list
233 - watch
234 - create
235 - update
236 - patch
237 - delete
238- apiGroups:
239 - bigquerydatapolicy.cnrm.cloud.google.com
240 resources:
241 - '*'
242 verbs:
243 - get
244 - list
245 - watch
246 - create
247 - update
248 - patch
249 - delete
250- apiGroups:
251 - bigquerydatatransfer.cnrm.cloud.google.com
252 resources:
253 - '*'
254 verbs:
255 - get
256 - list
257 - watch
258 - create
259 - update
260 - patch
261 - delete
262- apiGroups:
263 - bigqueryreservation.cnrm.cloud.google.com
264 resources:
265 - '*'
266 verbs:
267 - get
268 - list
269 - watch
270 - create
271 - update
272 - patch
273 - delete
274- apiGroups:
275 - bigtable.cnrm.cloud.google.com
276 resources:
277 - '*'
278 verbs:
279 - get
280 - list
281 - watch
282 - create
283 - update
284 - patch
285 - delete
286- apiGroups:
287 - billingbudgets.cnrm.cloud.google.com
288 resources:
289 - '*'
290 verbs:
291 - get
292 - list
293 - watch
294 - create
295 - update
296 - patch
297 - delete
298- apiGroups:
299 - binaryauthorization.cnrm.cloud.google.com
300 resources:
301 - '*'
302 verbs:
303 - get
304 - list
305 - watch
306 - create
307 - update
308 - patch
309 - delete
310- apiGroups:
311 - certificatemanager.cnrm.cloud.google.com
312 resources:
313 - '*'
314 verbs:
315 - get
316 - list
317 - watch
318 - create
319 - update
320 - patch
321 - delete
322- apiGroups:
323 - cloudasset.cnrm.cloud.google.com
324 resources:
325 - '*'
326 verbs:
327 - get
328 - list
329 - watch
330 - create
331 - update
332 - patch
333 - delete
334- apiGroups:
335 - cloudbuild.cnrm.cloud.google.com
336 resources:
337 - '*'
338 verbs:
339 - get
340 - list
341 - watch
342 - create
343 - update
344 - patch
345 - delete
346- apiGroups:
347 - cloudfunctions.cnrm.cloud.google.com
348 resources:
349 - '*'
350 verbs:
351 - get
352 - list
353 - watch
354 - create
355 - update
356 - patch
357 - delete
358- apiGroups:
359 - cloudfunctions2.cnrm.cloud.google.com
360 resources:
361 - '*'
362 verbs:
363 - get
364 - list
365 - watch
366 - create
367 - update
368 - patch
369 - delete
370- apiGroups:
371 - cloudidentity.cnrm.cloud.google.com
372 resources:
373 - '*'
374 verbs:
375 - get
376 - list
377 - watch
378 - create
379 - update
380 - patch
381 - delete
382- apiGroups:
383 - cloudids.cnrm.cloud.google.com
384 resources:
385 - '*'
386 verbs:
387 - get
388 - list
389 - watch
390 - create
391 - update
392 - patch
393 - delete
394- apiGroups:
395 - cloudiot.cnrm.cloud.google.com
396 resources:
397 - '*'
398 verbs:
399 - get
400 - list
401 - watch
402 - create
403 - update
404 - patch
405 - delete
406- apiGroups:
407 - cloudscheduler.cnrm.cloud.google.com
408 resources:
409 - '*'
410 verbs:
411 - get
412 - list
413 - watch
414 - create
415 - update
416 - patch
417 - delete
418- apiGroups:
419 - cloudtasks.cnrm.cloud.google.com
420 resources:
421 - '*'
422 verbs:
423 - get
424 - list
425 - watch
426 - create
427 - update
428 - patch
429 - delete
430- apiGroups:
431 - compute.cnrm.cloud.google.com
432 resources:
433 - '*'
434 verbs:
435 - get
436 - list
437 - watch
438 - create
439 - update
440 - patch
441 - delete
442- apiGroups:
443 - configcontroller.cnrm.cloud.google.com
444 resources:
445 - '*'
446 verbs:
447 - get
448 - list
449 - watch
450 - create
451 - update
452 - patch
453 - delete
454- apiGroups:
455 - container.cnrm.cloud.google.com
456 resources:
457 - '*'
458 verbs:
459 - get
460 - list
461 - watch
462 - create
463 - update
464 - patch
465 - delete
466- apiGroups:
467 - containeranalysis.cnrm.cloud.google.com
468 resources:
469 - '*'
470 verbs:
471 - get
472 - list
473 - watch
474 - create
475 - update
476 - patch
477 - delete
478- apiGroups:
479 - datacatalog.cnrm.cloud.google.com
480 resources:
481 - '*'
482 verbs:
483 - get
484 - list
485 - watch
486 - create
487 - update
488 - patch
489 - delete
490- apiGroups:
491 - dataflow.cnrm.cloud.google.com
492 resources:
493 - '*'
494 verbs:
495 - get
496 - list
497 - watch
498 - create
499 - update
500 - patch
501 - delete
502- apiGroups:
503 - dataform.cnrm.cloud.google.com
504 resources:
505 - '*'
506 verbs:
507 - get
508 - list
509 - watch
510 - create
511 - update
512 - patch
513 - delete
514- apiGroups:
515 - datafusion.cnrm.cloud.google.com
516 resources:
517 - '*'
518 verbs:
519 - get
520 - list
521 - watch
522 - create
523 - update
524 - patch
525 - delete
526- apiGroups:
527 - dataproc.cnrm.cloud.google.com
528 resources:
529 - '*'
530 verbs:
531 - get
532 - list
533 - watch
534 - create
535 - update
536 - patch
537 - delete
538- apiGroups:
539 - datastore.cnrm.cloud.google.com
540 resources:
541 - '*'
542 verbs:
543 - get
544 - list
545 - watch
546 - create
547 - update
548 - patch
549 - delete
550- apiGroups:
551 - datastream.cnrm.cloud.google.com
552 resources:
553 - '*'
554 verbs:
555 - get
556 - list
557 - watch
558 - create
559 - update
560 - patch
561 - delete
562- apiGroups:
563 - deploymentmanager.cnrm.cloud.google.com
564 resources:
565 - '*'
566 verbs:
567 - get
568 - list
569 - watch
570 - create
571 - update
572 - patch
573 - delete
574- apiGroups:
575 - dialogflow.cnrm.cloud.google.com
576 resources:
577 - '*'
578 verbs:
579 - get
580 - list
581 - watch
582 - create
583 - update
584 - patch
585 - delete
586- apiGroups:
587 - dialogflowcx.cnrm.cloud.google.com
588 resources:
589 - '*'
590 verbs:
591 - get
592 - list
593 - watch
594 - create
595 - update
596 - patch
597 - delete
598- apiGroups:
599 - dlp.cnrm.cloud.google.com
600 resources:
601 - '*'
602 verbs:
603 - get
604 - list
605 - watch
606 - create
607 - update
608 - patch
609 - delete
610- apiGroups:
611 - dns.cnrm.cloud.google.com
612 resources:
613 - '*'
614 verbs:
615 - get
616 - list
617 - watch
618 - create
619 - update
620 - patch
621 - delete
622- apiGroups:
623 - documentai.cnrm.cloud.google.com
624 resources:
625 - '*'
626 verbs:
627 - get
628 - list
629 - watch
630 - create
631 - update
632 - patch
633 - delete
634- apiGroups:
635 - essentialcontacts.cnrm.cloud.google.com
636 resources:
637 - '*'
638 verbs:
639 - get
640 - list
641 - watch
642 - create
643 - update
644 - patch
645 - delete
646- apiGroups:
647 - eventarc.cnrm.cloud.google.com
648 resources:
649 - '*'
650 verbs:
651 - get
652 - list
653 - watch
654 - create
655 - update
656 - patch
657 - delete
658- apiGroups:
659 - filestore.cnrm.cloud.google.com
660 resources:
661 - '*'
662 verbs:
663 - get
664 - list
665 - watch
666 - create
667 - update
668 - patch
669 - delete
670- apiGroups:
671 - firebase.cnrm.cloud.google.com
672 resources:
673 - '*'
674 verbs:
675 - get
676 - list
677 - watch
678 - create
679 - update
680 - patch
681 - delete
682- apiGroups:
683 - firebasedatabase.cnrm.cloud.google.com
684 resources:
685 - '*'
686 verbs:
687 - get
688 - list
689 - watch
690 - create
691 - update
692 - patch
693 - delete
694- apiGroups:
695 - firebasehosting.cnrm.cloud.google.com
696 resources:
697 - '*'
698 verbs:
699 - get
700 - list
701 - watch
702 - create
703 - update
704 - patch
705 - delete
706- apiGroups:
707 - firebasestorage.cnrm.cloud.google.com
708 resources:
709 - '*'
710 verbs:
711 - get
712 - list
713 - watch
714 - create
715 - update
716 - patch
717 - delete
718- apiGroups:
719 - firestore.cnrm.cloud.google.com
720 resources:
721 - '*'
722 verbs:
723 - get
724 - list
725 - watch
726 - create
727 - update
728 - patch
729 - delete
730- apiGroups:
731 - gkebackup.cnrm.cloud.google.com
732 resources:
733 - '*'
734 verbs:
735 - get
736 - list
737 - watch
738 - create
739 - update
740 - patch
741 - delete
742- apiGroups:
743 - gkehub.cnrm.cloud.google.com
744 resources:
745 - '*'
746 verbs:
747 - get
748 - list
749 - watch
750 - create
751 - update
752 - patch
753 - delete
754- apiGroups:
755 - healthcare.cnrm.cloud.google.com
756 resources:
757 - '*'
758 verbs:
759 - get
760 - list
761 - watch
762 - create
763 - update
764 - patch
765 - delete
766- apiGroups:
767 - iam.cnrm.cloud.google.com
768 resources:
769 - '*'
770 verbs:
771 - get
772 - list
773 - watch
774 - create
775 - update
776 - patch
777 - delete
778- apiGroups:
779 - iap.cnrm.cloud.google.com
780 resources:
781 - '*'
782 verbs:
783 - get
784 - list
785 - watch
786 - create
787 - update
788 - patch
789 - delete
790- apiGroups:
791 - identityplatform.cnrm.cloud.google.com
792 resources:
793 - '*'
794 verbs:
795 - get
796 - list
797 - watch
798 - create
799 - update
800 - patch
801 - delete
802- apiGroups:
803 - kms.cnrm.cloud.google.com
804 resources:
805 - '*'
806 verbs:
807 - get
808 - list
809 - watch
810 - create
811 - update
812 - patch
813 - delete
814- apiGroups:
815 - logging.cnrm.cloud.google.com
816 resources:
817 - '*'
818 verbs:
819 - get
820 - list
821 - watch
822 - create
823 - update
824 - patch
825 - delete
826- apiGroups:
827 - memcache.cnrm.cloud.google.com
828 resources:
829 - '*'
830 verbs:
831 - get
832 - list
833 - watch
834 - create
835 - update
836 - patch
837 - delete
838- apiGroups:
839 - mlengine.cnrm.cloud.google.com
840 resources:
841 - '*'
842 verbs:
843 - get
844 - list
845 - watch
846 - create
847 - update
848 - patch
849 - delete
850- apiGroups:
851 - monitoring.cnrm.cloud.google.com
852 resources:
853 - '*'
854 verbs:
855 - get
856 - list
857 - watch
858 - create
859 - update
860 - patch
861 - delete
862- apiGroups:
863 - networkconnectivity.cnrm.cloud.google.com
864 resources:
865 - '*'
866 verbs:
867 - get
868 - list
869 - watch
870 - create
871 - update
872 - patch
873 - delete
874- apiGroups:
875 - networkmanagement.cnrm.cloud.google.com
876 resources:
877 - '*'
878 verbs:
879 - get
880 - list
881 - watch
882 - create
883 - update
884 - patch
885 - delete
886- apiGroups:
887 - networksecurity.cnrm.cloud.google.com
888 resources:
889 - '*'
890 verbs:
891 - get
892 - list
893 - watch
894 - create
895 - update
896 - patch
897 - delete
898- apiGroups:
899 - networkservices.cnrm.cloud.google.com
900 resources:
901 - '*'
902 verbs:
903 - get
904 - list
905 - watch
906 - create
907 - update
908 - patch
909 - delete
910- apiGroups:
911 - notebooks.cnrm.cloud.google.com
912 resources:
913 - '*'
914 verbs:
915 - get
916 - list
917 - watch
918 - create
919 - update
920 - patch
921 - delete
922- apiGroups:
923 - orgpolicy.cnrm.cloud.google.com
924 resources:
925 - '*'
926 verbs:
927 - get
928 - list
929 - watch
930 - create
931 - update
932 - patch
933 - delete
934- apiGroups:
935 - osconfig.cnrm.cloud.google.com
936 resources:
937 - '*'
938 verbs:
939 - get
940 - list
941 - watch
942 - create
943 - update
944 - patch
945 - delete
946- apiGroups:
947 - oslogin.cnrm.cloud.google.com
948 resources:
949 - '*'
950 verbs:
951 - get
952 - list
953 - watch
954 - create
955 - update
956 - patch
957 - delete
958- apiGroups:
959 - privateca.cnrm.cloud.google.com
960 resources:
961 - '*'
962 verbs:
963 - get
964 - list
965 - watch
966 - create
967 - update
968 - patch
969 - delete
970- apiGroups:
971 - pubsub.cnrm.cloud.google.com
972 resources:
973 - '*'
974 verbs:
975 - get
976 - list
977 - watch
978 - create
979 - update
980 - patch
981 - delete
982- apiGroups:
983 - pubsublite.cnrm.cloud.google.com
984 resources:
985 - '*'
986 verbs:
987 - get
988 - list
989 - watch
990 - create
991 - update
992 - patch
993 - delete
994- apiGroups:
995 - recaptchaenterprise.cnrm.cloud.google.com
996 resources:
997 - '*'
998 verbs:
999 - get
1000 - list
1001 - watch
1002 - create
1003 - update
1004 - patch
1005 - delete
1006- apiGroups:
1007 - redis.cnrm.cloud.google.com
1008 resources:
1009 - '*'
1010 verbs:
1011 - get
1012 - list
1013 - watch
1014 - create
1015 - update
1016 - patch
1017 - delete
1018- apiGroups:
1019 - resourcemanager.cnrm.cloud.google.com
1020 resources:
1021 - '*'
1022 verbs:
1023 - get
1024 - list
1025 - watch
1026 - create
1027 - update
1028 - patch
1029 - delete
1030- apiGroups:
1031 - run.cnrm.cloud.google.com
1032 resources:
1033 - '*'
1034 verbs:
1035 - get
1036 - list
1037 - watch
1038 - create
1039 - update
1040 - patch
1041 - delete
1042- apiGroups:
1043 - secretmanager.cnrm.cloud.google.com
1044 resources:
1045 - '*'
1046 verbs:
1047 - get
1048 - list
1049 - watch
1050 - create
1051 - update
1052 - patch
1053 - delete
1054- apiGroups:
1055 - securitycenter.cnrm.cloud.google.com
1056 resources:
1057 - '*'
1058 verbs:
1059 - get
1060 - list
1061 - watch
1062 - create
1063 - update
1064 - patch
1065 - delete
1066- apiGroups:
1067 - servicedirectory.cnrm.cloud.google.com
1068 resources:
1069 - '*'
1070 verbs:
1071 - get
1072 - list
1073 - watch
1074 - create
1075 - update
1076 - patch
1077 - delete
1078- apiGroups:
1079 - servicenetworking.cnrm.cloud.google.com
1080 resources:
1081 - '*'
1082 verbs:
1083 - get
1084 - list
1085 - watch
1086 - create
1087 - update
1088 - patch
1089 - delete
1090- apiGroups:
1091 - serviceusage.cnrm.cloud.google.com
1092 resources:
1093 - '*'
1094 verbs:
1095 - get
1096 - list
1097 - watch
1098 - create
1099 - update
1100 - patch
1101 - delete
1102- apiGroups:
1103 - sourcerepo.cnrm.cloud.google.com
1104 resources:
1105 - '*'
1106 verbs:
1107 - get
1108 - list
1109 - watch
1110 - create
1111 - update
1112 - patch
1113 - delete
1114- apiGroups:
1115 - spanner.cnrm.cloud.google.com
1116 resources:
1117 - '*'
1118 verbs:
1119 - get
1120 - list
1121 - watch
1122 - create
1123 - update
1124 - patch
1125 - delete
1126- apiGroups:
1127 - sql.cnrm.cloud.google.com
1128 resources:
1129 - '*'
1130 verbs:
1131 - get
1132 - list
1133 - watch
1134 - create
1135 - update
1136 - patch
1137 - delete
1138- apiGroups:
1139 - storage.cnrm.cloud.google.com
1140 resources:
1141 - '*'
1142 verbs:
1143 - get
1144 - list
1145 - watch
1146 - create
1147 - update
1148 - patch
1149 - delete
1150- apiGroups:
1151 - storagetransfer.cnrm.cloud.google.com
1152 resources:
1153 - '*'
1154 verbs:
1155 - get
1156 - list
1157 - watch
1158 - create
1159 - update
1160 - patch
1161 - delete
1162- apiGroups:
1163 - tags.cnrm.cloud.google.com
1164 resources:
1165 - '*'
1166 verbs:
1167 - get
1168 - list
1169 - watch
1170 - create
1171 - update
1172 - patch
1173 - delete
1174- apiGroups:
1175 - tpu.cnrm.cloud.google.com
1176 resources:
1177 - '*'
1178 verbs:
1179 - get
1180 - list
1181 - watch
1182 - create
1183 - update
1184 - patch
1185 - delete
1186- apiGroups:
1187 - vertexai.cnrm.cloud.google.com
1188 resources:
1189 - '*'
1190 verbs:
1191 - get
1192 - list
1193 - watch
1194 - create
1195 - update
1196 - patch
1197 - delete
1198- apiGroups:
1199 - vpcaccess.cnrm.cloud.google.com
1200 resources:
1201 - '*'
1202 verbs:
1203 - get
1204 - list
1205 - watch
1206 - create
1207 - update
1208 - patch
1209 - delete
1210- apiGroups:
1211 - workflows.cnrm.cloud.google.com
1212 resources:
1213 - '*'
1214 verbs:
1215 - get
1216 - list
1217 - watch
1218 - create
1219 - update
1220 - patch
1221 - delete
1222- apiGroups:
1223 - workstations.cnrm.cloud.google.com
1224 resources:
1225 - '*'
1226 verbs:
1227 - get
1228 - list
1229 - watch
1230 - create
1231 - update
1232 - patch
1233 - delete
1234---
1235apiVersion: rbac.authorization.k8s.io/v1
1236kind: ClusterRole
1237metadata:
1238 annotations:
1239 cnrm.cloud.google.com/version: 1.106.0
1240 labels:
1241 cnrm.cloud.google.com/system: "true"
1242 name: cnrm-deletiondefender-role
1243rules:
1244- apiGroups:
1245 - apiextensions.k8s.io
1246 resources:
1247 - customresourcedefinitions
1248 verbs:
1249 - get
1250 - list
1251 - watch
1252- apiGroups:
1253 - ""
1254 resources:
1255 - namespaces
1256 verbs:
1257 - get
1258 - list
1259 - watch
1260- apiGroups:
1261 - admissionregistration.k8s.io
1262 resources:
1263 - validatingwebhookconfigurations
1264 verbs:
1265 - get
1266 - list
1267 - watch
1268 - create
1269 - update
1270 - patch
1271 - delete
1272- apiGroups:
1273 - ""
1274 resources:
1275 - services
1276 verbs:
1277 - get
1278 - list
1279 - watch
1280 - create
1281 - update
1282 - patch
1283 - delete
1284---
1285apiVersion: rbac.authorization.k8s.io/v1
1286kind: ClusterRole
1287metadata:
1288 annotations:
1289 cnrm.cloud.google.com/version: 1.106.0
1290 labels:
1291 cnrm.cloud.google.com/system: "true"
1292 name: cnrm-manager-cluster-role
1293rules:
1294- apiGroups:
1295 - apiextensions.k8s.io
1296 resources:
1297 - customresourcedefinitions
1298 verbs:
1299 - get
1300 - list
1301 - watch
1302- apiGroups:
1303 - ""
1304 resources:
1305 - namespaces
1306 verbs:
1307 - get
1308 - list
1309 - watch
1310- apiGroups:
1311 - admissionregistration.k8s.io
1312 resources:
1313 - validatingwebhookconfigurations
1314 verbs:
1315 - get
1316 - list
1317 - watch
1318 - create
1319 - update
1320 - patch
1321 - delete
1322- apiGroups:
1323 - core.cnrm.cloud.google.com
1324 resources:
1325 - servicemappings
1326 verbs:
1327 - get
1328 - list
1329 - watch
1330- apiGroups:
1331 - core.cnrm.cloud.google.com
1332 resources:
1333 - '*'
1334 verbs:
1335 - get
1336 - list
1337 - watch
1338 - create
1339 - update
1340 - patch
1341 - delete
1342---
1343apiVersion: rbac.authorization.k8s.io/v1
1344kind: ClusterRole
1345metadata:
1346 annotations:
1347 cnrm.cloud.google.com/version: 1.106.0
1348 labels:
1349 cnrm.cloud.google.com/system: "true"
1350 name: cnrm-manager-ns-role
1351rules:
1352- apiGroups:
1353 - ""
1354 resources:
1355 - events
1356 - configmaps
1357 - secrets
1358 - services
1359 verbs:
1360 - get
1361 - list
1362 - watch
1363 - create
1364 - update
1365 - patch
1366 - delete
1367---
1368apiVersion: rbac.authorization.k8s.io/v1
1369kind: ClusterRole
1370metadata:
1371 annotations:
1372 cnrm.cloud.google.com/version: 1.106.0
1373 labels:
1374 cnrm.cloud.google.com/system: "true"
1375 name: cnrm-recorder-role
1376rules:
1377- apiGroups:
1378 - ""
1379 resources:
1380 - namespaces
1381 verbs:
1382 - get
1383 - list
1384 - watch
1385- apiGroups:
1386 - apiextensions.k8s.io
1387 resources:
1388 - customresourcedefinitions
1389 verbs:
1390 - get
1391 - list
1392 - watch
1393 - create
1394 - update
1395 - patch
1396 - delete
1397---
1398apiVersion: rbac.authorization.k8s.io/v1
1399kind: ClusterRole
1400metadata:
1401 annotations:
1402 cnrm.cloud.google.com/version: 1.106.0
1403 labels:
1404 cnrm.cloud.google.com/system: "true"
1405 name: cnrm-unmanaged-detector-cluster-role
1406rules:
1407- apiGroups:
1408 - apiextensions.k8s.io
1409 resources:
1410 - customresourcedefinitions
1411 verbs:
1412 - get
1413 - list
1414 - watch
1415- apiGroups:
1416 - apps
1417 resources:
1418 - statefulsets
1419 verbs:
1420 - list
1421- apiGroups:
1422 - ""
1423 resources:
1424 - events
1425 verbs:
1426 - create
1427 - patch
1428---
1429apiVersion: rbac.authorization.k8s.io/v1
1430kind: ClusterRole
1431metadata:
1432 annotations:
1433 cnrm.cloud.google.com/version: 1.106.0
1434 creationTimestamp: null
1435 labels:
1436 cnrm.cloud.google.com/system: "true"
1437 rbac.authorization.k8s.io/aggregate-to-view: "true"
1438 name: cnrm-viewer
1439rules:
1440- apiGroups:
1441 - accesscontextmanager.cnrm.cloud.google.com
1442 resources:
1443 - '*'
1444 verbs:
1445 - get
1446 - list
1447 - watch
1448- apiGroups:
1449 - alloydb.cnrm.cloud.google.com
1450 resources:
1451 - '*'
1452 verbs:
1453 - get
1454 - list
1455 - watch
1456- apiGroups:
1457 - apigateway.cnrm.cloud.google.com
1458 resources:
1459 - '*'
1460 verbs:
1461 - get
1462 - list
1463 - watch
1464- apiGroups:
1465 - apigee.cnrm.cloud.google.com
1466 resources:
1467 - '*'
1468 verbs:
1469 - get
1470 - list
1471 - watch
1472- apiGroups:
1473 - appengine.cnrm.cloud.google.com
1474 resources:
1475 - '*'
1476 verbs:
1477 - get
1478 - list
1479 - watch
1480- apiGroups:
1481 - artifactregistry.cnrm.cloud.google.com
1482 resources:
1483 - '*'
1484 verbs:
1485 - get
1486 - list
1487 - watch
1488- apiGroups:
1489 - beyondcorp.cnrm.cloud.google.com
1490 resources:
1491 - '*'
1492 verbs:
1493 - get
1494 - list
1495 - watch
1496- apiGroups:
1497 - bigquery.cnrm.cloud.google.com
1498 resources:
1499 - '*'
1500 verbs:
1501 - get
1502 - list
1503 - watch
1504- apiGroups:
1505 - bigqueryanalyticshub.cnrm.cloud.google.com
1506 resources:
1507 - '*'
1508 verbs:
1509 - get
1510 - list
1511 - watch
1512- apiGroups:
1513 - bigqueryconnection.cnrm.cloud.google.com
1514 resources:
1515 - '*'
1516 verbs:
1517 - get
1518 - list
1519 - watch
1520- apiGroups:
1521 - bigquerydatapolicy.cnrm.cloud.google.com
1522 resources:
1523 - '*'
1524 verbs:
1525 - get
1526 - list
1527 - watch
1528- apiGroups:
1529 - bigquerydatatransfer.cnrm.cloud.google.com
1530 resources:
1531 - '*'
1532 verbs:
1533 - get
1534 - list
1535 - watch
1536- apiGroups:
1537 - bigqueryreservation.cnrm.cloud.google.com
1538 resources:
1539 - '*'
1540 verbs:
1541 - get
1542 - list
1543 - watch
1544- apiGroups:
1545 - bigtable.cnrm.cloud.google.com
1546 resources:
1547 - '*'
1548 verbs:
1549 - get
1550 - list
1551 - watch
1552- apiGroups:
1553 - billingbudgets.cnrm.cloud.google.com
1554 resources:
1555 - '*'
1556 verbs:
1557 - get
1558 - list
1559 - watch
1560- apiGroups:
1561 - binaryauthorization.cnrm.cloud.google.com
1562 resources:
1563 - '*'
1564 verbs:
1565 - get
1566 - list
1567 - watch
1568- apiGroups:
1569 - certificatemanager.cnrm.cloud.google.com
1570 resources:
1571 - '*'
1572 verbs:
1573 - get
1574 - list
1575 - watch
1576- apiGroups:
1577 - cloudasset.cnrm.cloud.google.com
1578 resources:
1579 - '*'
1580 verbs:
1581 - get
1582 - list
1583 - watch
1584- apiGroups:
1585 - cloudbuild.cnrm.cloud.google.com
1586 resources:
1587 - '*'
1588 verbs:
1589 - get
1590 - list
1591 - watch
1592- apiGroups:
1593 - cloudfunctions.cnrm.cloud.google.com
1594 resources:
1595 - '*'
1596 verbs:
1597 - get
1598 - list
1599 - watch
1600- apiGroups:
1601 - cloudfunctions2.cnrm.cloud.google.com
1602 resources:
1603 - '*'
1604 verbs:
1605 - get
1606 - list
1607 - watch
1608- apiGroups:
1609 - cloudidentity.cnrm.cloud.google.com
1610 resources:
1611 - '*'
1612 verbs:
1613 - get
1614 - list
1615 - watch
1616- apiGroups:
1617 - cloudids.cnrm.cloud.google.com
1618 resources:
1619 - '*'
1620 verbs:
1621 - get
1622 - list
1623 - watch
1624- apiGroups:
1625 - cloudiot.cnrm.cloud.google.com
1626 resources:
1627 - '*'
1628 verbs:
1629 - get
1630 - list
1631 - watch
1632- apiGroups:
1633 - cloudscheduler.cnrm.cloud.google.com
1634 resources:
1635 - '*'
1636 verbs:
1637 - get
1638 - list
1639 - watch
1640- apiGroups:
1641 - cloudtasks.cnrm.cloud.google.com
1642 resources:
1643 - '*'
1644 verbs:
1645 - get
1646 - list
1647 - watch
1648- apiGroups:
1649 - compute.cnrm.cloud.google.com
1650 resources:
1651 - '*'
1652 verbs:
1653 - get
1654 - list
1655 - watch
1656- apiGroups:
1657 - configcontroller.cnrm.cloud.google.com
1658 resources:
1659 - '*'
1660 verbs:
1661 - get
1662 - list
1663 - watch
1664- apiGroups:
1665 - container.cnrm.cloud.google.com
1666 resources:
1667 - '*'
1668 verbs:
1669 - get
1670 - list
1671 - watch
1672- apiGroups:
1673 - containeranalysis.cnrm.cloud.google.com
1674 resources:
1675 - '*'
1676 verbs:
1677 - get
1678 - list
1679 - watch
1680- apiGroups:
1681 - datacatalog.cnrm.cloud.google.com
1682 resources:
1683 - '*'
1684 verbs:
1685 - get
1686 - list
1687 - watch
1688- apiGroups:
1689 - dataflow.cnrm.cloud.google.com
1690 resources:
1691 - '*'
1692 verbs:
1693 - get
1694 - list
1695 - watch
1696- apiGroups:
1697 - dataform.cnrm.cloud.google.com
1698 resources:
1699 - '*'
1700 verbs:
1701 - get
1702 - list
1703 - watch
1704- apiGroups:
1705 - datafusion.cnrm.cloud.google.com
1706 resources:
1707 - '*'
1708 verbs:
1709 - get
1710 - list
1711 - watch
1712- apiGroups:
1713 - dataproc.cnrm.cloud.google.com
1714 resources:
1715 - '*'
1716 verbs:
1717 - get
1718 - list
1719 - watch
1720- apiGroups:
1721 - datastore.cnrm.cloud.google.com
1722 resources:
1723 - '*'
1724 verbs:
1725 - get
1726 - list
1727 - watch
1728- apiGroups:
1729 - datastream.cnrm.cloud.google.com
1730 resources:
1731 - '*'
1732 verbs:
1733 - get
1734 - list
1735 - watch
1736- apiGroups:
1737 - deploymentmanager.cnrm.cloud.google.com
1738 resources:
1739 - '*'
1740 verbs:
1741 - get
1742 - list
1743 - watch
1744- apiGroups:
1745 - dialogflow.cnrm.cloud.google.com
1746 resources:
1747 - '*'
1748 verbs:
1749 - get
1750 - list
1751 - watch
1752- apiGroups:
1753 - dialogflowcx.cnrm.cloud.google.com
1754 resources:
1755 - '*'
1756 verbs:
1757 - get
1758 - list
1759 - watch
1760- apiGroups:
1761 - dlp.cnrm.cloud.google.com
1762 resources:
1763 - '*'
1764 verbs:
1765 - get
1766 - list
1767 - watch
1768- apiGroups:
1769 - dns.cnrm.cloud.google.com
1770 resources:
1771 - '*'
1772 verbs:
1773 - get
1774 - list
1775 - watch
1776- apiGroups:
1777 - documentai.cnrm.cloud.google.com
1778 resources:
1779 - '*'
1780 verbs:
1781 - get
1782 - list
1783 - watch
1784- apiGroups:
1785 - essentialcontacts.cnrm.cloud.google.com
1786 resources:
1787 - '*'
1788 verbs:
1789 - get
1790 - list
1791 - watch
1792- apiGroups:
1793 - eventarc.cnrm.cloud.google.com
1794 resources:
1795 - '*'
1796 verbs:
1797 - get
1798 - list
1799 - watch
1800- apiGroups:
1801 - filestore.cnrm.cloud.google.com
1802 resources:
1803 - '*'
1804 verbs:
1805 - get
1806 - list
1807 - watch
1808- apiGroups:
1809 - firebase.cnrm.cloud.google.com
1810 resources:
1811 - '*'
1812 verbs:
1813 - get
1814 - list
1815 - watch
1816- apiGroups:
1817 - firebasedatabase.cnrm.cloud.google.com
1818 resources:
1819 - '*'
1820 verbs:
1821 - get
1822 - list
1823 - watch
1824- apiGroups:
1825 - firebasehosting.cnrm.cloud.google.com
1826 resources:
1827 - '*'
1828 verbs:
1829 - get
1830 - list
1831 - watch
1832- apiGroups:
1833 - firebasestorage.cnrm.cloud.google.com
1834 resources:
1835 - '*'
1836 verbs:
1837 - get
1838 - list
1839 - watch
1840- apiGroups:
1841 - firestore.cnrm.cloud.google.com
1842 resources:
1843 - '*'
1844 verbs:
1845 - get
1846 - list
1847 - watch
1848- apiGroups:
1849 - gkebackup.cnrm.cloud.google.com
1850 resources:
1851 - '*'
1852 verbs:
1853 - get
1854 - list
1855 - watch
1856- apiGroups:
1857 - gkehub.cnrm.cloud.google.com
1858 resources:
1859 - '*'
1860 verbs:
1861 - get
1862 - list
1863 - watch
1864- apiGroups:
1865 - healthcare.cnrm.cloud.google.com
1866 resources:
1867 - '*'
1868 verbs:
1869 - get
1870 - list
1871 - watch
1872- apiGroups:
1873 - iam.cnrm.cloud.google.com
1874 resources:
1875 - '*'
1876 verbs:
1877 - get
1878 - list
1879 - watch
1880- apiGroups:
1881 - iap.cnrm.cloud.google.com
1882 resources:
1883 - '*'
1884 verbs:
1885 - get
1886 - list
1887 - watch
1888- apiGroups:
1889 - identityplatform.cnrm.cloud.google.com
1890 resources:
1891 - '*'
1892 verbs:
1893 - get
1894 - list
1895 - watch
1896- apiGroups:
1897 - kms.cnrm.cloud.google.com
1898 resources:
1899 - '*'
1900 verbs:
1901 - get
1902 - list
1903 - watch
1904- apiGroups:
1905 - logging.cnrm.cloud.google.com
1906 resources:
1907 - '*'
1908 verbs:
1909 - get
1910 - list
1911 - watch
1912- apiGroups:
1913 - memcache.cnrm.cloud.google.com
1914 resources:
1915 - '*'
1916 verbs:
1917 - get
1918 - list
1919 - watch
1920- apiGroups:
1921 - mlengine.cnrm.cloud.google.com
1922 resources:
1923 - '*'
1924 verbs:
1925 - get
1926 - list
1927 - watch
1928- apiGroups:
1929 - monitoring.cnrm.cloud.google.com
1930 resources:
1931 - '*'
1932 verbs:
1933 - get
1934 - list
1935 - watch
1936- apiGroups:
1937 - networkconnectivity.cnrm.cloud.google.com
1938 resources:
1939 - '*'
1940 verbs:
1941 - get
1942 - list
1943 - watch
1944- apiGroups:
1945 - networkmanagement.cnrm.cloud.google.com
1946 resources:
1947 - '*'
1948 verbs:
1949 - get
1950 - list
1951 - watch
1952- apiGroups:
1953 - networksecurity.cnrm.cloud.google.com
1954 resources:
1955 - '*'
1956 verbs:
1957 - get
1958 - list
1959 - watch
1960- apiGroups:
1961 - networkservices.cnrm.cloud.google.com
1962 resources:
1963 - '*'
1964 verbs:
1965 - get
1966 - list
1967 - watch
1968- apiGroups:
1969 - notebooks.cnrm.cloud.google.com
1970 resources:
1971 - '*'
1972 verbs:
1973 - get
1974 - list
1975 - watch
1976- apiGroups:
1977 - orgpolicy.cnrm.cloud.google.com
1978 resources:
1979 - '*'
1980 verbs:
1981 - get
1982 - list
1983 - watch
1984- apiGroups:
1985 - osconfig.cnrm.cloud.google.com
1986 resources:
1987 - '*'
1988 verbs:
1989 - get
1990 - list
1991 - watch
1992- apiGroups:
1993 - oslogin.cnrm.cloud.google.com
1994 resources:
1995 - '*'
1996 verbs:
1997 - get
1998 - list
1999 - watch
2000- apiGroups:
2001 - privateca.cnrm.cloud.google.com
2002 resources:
2003 - '*'
2004 verbs:
2005 - get
2006 - list
2007 - watch
2008- apiGroups:
2009 - pubsub.cnrm.cloud.google.com
2010 resources:
2011 - '*'
2012 verbs:
2013 - get
2014 - list
2015 - watch
2016- apiGroups:
2017 - pubsublite.cnrm.cloud.google.com
2018 resources:
2019 - '*'
2020 verbs:
2021 - get
2022 - list
2023 - watch
2024- apiGroups:
2025 - recaptchaenterprise.cnrm.cloud.google.com
2026 resources:
2027 - '*'
2028 verbs:
2029 - get
2030 - list
2031 - watch
2032- apiGroups:
2033 - redis.cnrm.cloud.google.com
2034 resources:
2035 - '*'
2036 verbs:
2037 - get
2038 - list
2039 - watch
2040- apiGroups:
2041 - resourcemanager.cnrm.cloud.google.com
2042 resources:
2043 - '*'
2044 verbs:
2045 - get
2046 - list
2047 - watch
2048- apiGroups:
2049 - run.cnrm.cloud.google.com
2050 resources:
2051 - '*'
2052 verbs:
2053 - get
2054 - list
2055 - watch
2056- apiGroups:
2057 - secretmanager.cnrm.cloud.google.com
2058 resources:
2059 - '*'
2060 verbs:
2061 - get
2062 - list
2063 - watch
2064- apiGroups:
2065 - securitycenter.cnrm.cloud.google.com
2066 resources:
2067 - '*'
2068 verbs:
2069 - get
2070 - list
2071 - watch
2072- apiGroups:
2073 - servicedirectory.cnrm.cloud.google.com
2074 resources:
2075 - '*'
2076 verbs:
2077 - get
2078 - list
2079 - watch
2080- apiGroups:
2081 - servicenetworking.cnrm.cloud.google.com
2082 resources:
2083 - '*'
2084 verbs:
2085 - get
2086 - list
2087 - watch
2088- apiGroups:
2089 - serviceusage.cnrm.cloud.google.com
2090 resources:
2091 - '*'
2092 verbs:
2093 - get
2094 - list
2095 - watch
2096- apiGroups:
2097 - sourcerepo.cnrm.cloud.google.com
2098 resources:
2099 - '*'
2100 verbs:
2101 - get
2102 - list
2103 - watch
2104- apiGroups:
2105 - spanner.cnrm.cloud.google.com
2106 resources:
2107 - '*'
2108 verbs:
2109 - get
2110 - list
2111 - watch
2112- apiGroups:
2113 - sql.cnrm.cloud.google.com
2114 resources:
2115 - '*'
2116 verbs:
2117 - get
2118 - list
2119 - watch
2120- apiGroups:
2121 - storage.cnrm.cloud.google.com
2122 resources:
2123 - '*'
2124 verbs:
2125 - get
2126 - list
2127 - watch
2128- apiGroups:
2129 - storagetransfer.cnrm.cloud.google.com
2130 resources:
2131 - '*'
2132 verbs:
2133 - get
2134 - list
2135 - watch
2136- apiGroups:
2137 - tags.cnrm.cloud.google.com
2138 resources:
2139 - '*'
2140 verbs:
2141 - get
2142 - list
2143 - watch
2144- apiGroups:
2145 - tpu.cnrm.cloud.google.com
2146 resources:
2147 - '*'
2148 verbs:
2149 - get
2150 - list
2151 - watch
2152- apiGroups:
2153 - vertexai.cnrm.cloud.google.com
2154 resources:
2155 - '*'
2156 verbs:
2157 - get
2158 - list
2159 - watch
2160- apiGroups:
2161 - vpcaccess.cnrm.cloud.google.com
2162 resources:
2163 - '*'
2164 verbs:
2165 - get
2166 - list
2167 - watch
2168- apiGroups:
2169 - workflows.cnrm.cloud.google.com
2170 resources:
2171 - '*'
2172 verbs:
2173 - get
2174 - list
2175 - watch
2176- apiGroups:
2177 - workstations.cnrm.cloud.google.com
2178 resources:
2179 - '*'
2180 verbs:
2181 - get
2182 - list
2183 - watch
2184---
2185apiVersion: rbac.authorization.k8s.io/v1
2186kind: ClusterRole
2187metadata:
2188 annotations:
2189 cnrm.cloud.google.com/version: 1.106.0
2190 labels:
2191 cnrm.cloud.google.com/system: "true"
2192 name: cnrm-webhook-role
2193rules:
2194- apiGroups:
2195 - admissionregistration.k8s.io
2196 resources:
2197 - validatingwebhookconfigurations
2198 - mutatingwebhookconfigurations
2199 verbs:
2200 - get
2201 - list
2202 - watch
2203 - create
2204 - update
2205 - patch
2206 - delete
2207- apiGroups:
2208 - core.cnrm.cloud.google.com
2209 resources:
2210 - servicemappings
2211 verbs:
2212 - get
2213 - list
2214 - watch
2215 - create
2216 - update
2217 - patch
2218 - delete
2219- apiGroups:
2220 - ""
2221 resources:
2222 - services
2223 verbs:
2224 - get
2225 - list
2226 - watch
2227 - create
2228 - update
2229 - patch
2230 - delete
2231- apiGroups:
2232 - apiextensions.k8s.io
2233 resources:
2234 - customresourcedefinitions
2235 verbs:
2236 - get
2237 - list
2238 - watch
2239- apiGroups:
2240 - ""
2241 resources:
2242 - namespaces
2243 verbs:
2244 - get
2245 - list
2246 - watch
2247---
2248apiVersion: rbac.authorization.k8s.io/v1
2249kind: RoleBinding
2250metadata:
2251 annotations:
2252 cnrm.cloud.google.com/version: 1.106.0
2253 labels:
2254 cnrm.cloud.google.com/system: "true"
2255 name: cnrm-deletiondefender-role-binding
2256 namespace: cnrm-system
2257roleRef:
2258 apiGroup: rbac.authorization.k8s.io
2259 kind: Role
2260 name: cnrm-deletiondefender-cnrm-system-role
2261subjects:
2262- kind: ServiceAccount
2263 name: cnrm-deletiondefender
2264 namespace: cnrm-system
2265---
2266apiVersion: rbac.authorization.k8s.io/v1
2267kind: RoleBinding
2268metadata:
2269 annotations:
2270 cnrm.cloud.google.com/version: 1.106.0
2271 labels:
2272 cnrm.cloud.google.com/system: "true"
2273 name: cnrm-webhook-role-binding
2274 namespace: cnrm-system
2275roleRef:
2276 apiGroup: rbac.authorization.k8s.io
2277 kind: Role
2278 name: cnrm-webhook-cnrm-system-role
2279subjects:
2280- kind: ServiceAccount
2281 name: cnrm-webhook-manager
2282 namespace: cnrm-system
2283---
2284apiVersion: rbac.authorization.k8s.io/v1
2285kind: ClusterRoleBinding
2286metadata:
2287 annotations:
2288 cnrm.cloud.google.com/version: 1.106.0
2289 labels:
2290 cnrm.cloud.google.com/system: "true"
2291 name: cnrm-admin-binding
2292roleRef:
2293 apiGroup: rbac.authorization.k8s.io
2294 kind: ClusterRole
2295 name: cnrm-admin
2296subjects:
2297- kind: ServiceAccount
2298 name: cnrm-unmanaged-detector
2299 namespace: cnrm-system
2300- kind: ServiceAccount
2301 name: cnrm-resource-stats-recorder
2302 namespace: cnrm-system
2303- kind: ServiceAccount
2304 name: cnrm-deletiondefender
2305 namespace: cnrm-system
2306---
2307apiVersion: rbac.authorization.k8s.io/v1
2308kind: ClusterRoleBinding
2309metadata:
2310 annotations:
2311 cnrm.cloud.google.com/version: 1.106.0
2312 labels:
2313 cnrm.cloud.google.com/system: "true"
2314 name: cnrm-deletiondefender-binding
2315roleRef:
2316 apiGroup: rbac.authorization.k8s.io
2317 kind: ClusterRole
2318 name: cnrm-deletiondefender-role
2319subjects:
2320- kind: ServiceAccount
2321 name: cnrm-deletiondefender
2322 namespace: cnrm-system
2323---
2324apiVersion: rbac.authorization.k8s.io/v1
2325kind: ClusterRoleBinding
2326metadata:
2327 annotations:
2328 cnrm.cloud.google.com/version: 1.106.0
2329 labels:
2330 cnrm.cloud.google.com/system: "true"
2331 name: cnrm-recorder-binding
2332roleRef:
2333 apiGroup: rbac.authorization.k8s.io
2334 kind: ClusterRole
2335 name: cnrm-recorder-role
2336subjects:
2337- kind: ServiceAccount
2338 name: cnrm-resource-stats-recorder
2339 namespace: cnrm-system
2340---
2341apiVersion: rbac.authorization.k8s.io/v1
2342kind: ClusterRoleBinding
2343metadata:
2344 annotations:
2345 cnrm.cloud.google.com/version: 1.106.0
2346 labels:
2347 cnrm.cloud.google.com/system: "true"
2348 name: cnrm-unmanaged-detector-binding
2349roleRef:
2350 apiGroup: rbac.authorization.k8s.io
2351 kind: ClusterRole
2352 name: cnrm-unmanaged-detector-cluster-role
2353subjects:
2354- kind: ServiceAccount
2355 name: cnrm-unmanaged-detector
2356 namespace: cnrm-system
2357---
2358apiVersion: rbac.authorization.k8s.io/v1
2359kind: ClusterRoleBinding
2360metadata:
2361 annotations:
2362 cnrm.cloud.google.com/version: 1.106.0
2363 labels:
2364 cnrm.cloud.google.com/system: "true"
2365 name: cnrm-webhook-binding
2366roleRef:
2367 apiGroup: rbac.authorization.k8s.io
2368 kind: ClusterRole
2369 name: cnrm-webhook-role
2370subjects:
2371- kind: ServiceAccount
2372 name: cnrm-webhook-manager
2373 namespace: cnrm-system
2374---
2375apiVersion: v1
2376kind: Service
2377metadata:
2378 annotations:
2379 cnrm.cloud.google.com/version: 1.106.0
2380 labels:
2381 cnrm.cloud.google.com/system: "true"
2382 name: cnrm-deletiondefender
2383 namespace: cnrm-system
2384spec:
2385 ports:
2386 - name: deletiondefender
2387 port: 443
2388 selector:
2389 cnrm.cloud.google.com/component: cnrm-deletiondefender
2390 cnrm.cloud.google.com/system: "true"
2391---
2392apiVersion: v1
2393kind: Service
2394metadata:
2395 annotations:
2396 cnrm.cloud.google.com/version: 1.106.0
2397 prometheus.io/port: "48797"
2398 prometheus.io/scrape: "true"
2399 labels:
2400 cnrm.cloud.google.com/monitored: "true"
2401 cnrm.cloud.google.com/system: "true"
2402 name: cnrm-resource-stats-recorder-service
2403 namespace: cnrm-system
2404spec:
2405 ports:
2406 - name: metrics
2407 port: 8888
2408 targetPort: 48797
2409 selector:
2410 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2411 cnrm.cloud.google.com/system: "true"
2412---
2413apiVersion: apps/v1
2414kind: Deployment
2415metadata:
2416 annotations:
2417 cnrm.cloud.google.com/version: 1.106.0
2418 labels:
2419 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2420 cnrm.cloud.google.com/system: "true"
2421 name: cnrm-resource-stats-recorder
2422 namespace: cnrm-system
2423spec:
2424 replicas: 1
2425 revisionHistoryLimit: 1
2426 selector:
2427 matchLabels:
2428 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2429 cnrm.cloud.google.com/system: "true"
2430 strategy:
2431 type: Recreate
2432 template:
2433 metadata:
2434 annotations:
2435 cnrm.cloud.google.com/version: 1.106.0
2436 labels:
2437 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2438 cnrm.cloud.google.com/system: "true"
2439 spec:
2440 containers:
2441 - args:
2442 - --prometheus-scrape-endpoint=:48797
2443 - --metric-interval=60
2444 command:
2445 - /configconnector/recorder
2446 env:
2447 - name: CONFIG_CONNECTOR_VERSION
2448 value: 1.106.0
2449 image: gcr.io/cnrm-eap/recorder:2b4f8d7
2450 imagePullPolicy: Always
2451 name: recorder
2452 ports:
2453 - containerPort: 48797
2454 hostPort: 48797
2455 protocol: TCP
2456 - containerPort: 23232
2457 readinessProbe:
2458 httpGet:
2459 path: /ready
2460 port: 23232
2461 initialDelaySeconds: 7
2462 periodSeconds: 3
2463 resources:
2464 limits:
2465 memory: 64Mi
2466 requests:
2467 cpu: 20m
2468 memory: 64Mi
2469 securityContext:
2470 allowPrivilegeEscalation: false
2471 privileged: false
2472 runAsNonRoot: true
2473 runAsUser: 1000
2474 enableServiceLinks: false
2475 hostNetwork: false
2476 serviceAccountName: cnrm-resource-stats-recorder
2477 terminationGracePeriodSeconds: 10
2478---
2479apiVersion: apps/v1
2480kind: Deployment
2481metadata:
2482 annotations:
2483 cnrm.cloud.google.com/version: 1.106.0
2484 labels:
2485 cnrm.cloud.google.com/component: cnrm-webhook-manager
2486 cnrm.cloud.google.com/system: "true"
2487 name: cnrm-webhook-manager
2488 namespace: cnrm-system
2489spec:
2490 revisionHistoryLimit: 1
2491 selector:
2492 matchLabels:
2493 cnrm.cloud.google.com/component: cnrm-webhook-manager
2494 cnrm.cloud.google.com/system: "true"
2495 template:
2496 metadata:
2497 annotations:
2498 cnrm.cloud.google.com/version: 1.106.0
2499 labels:
2500 cnrm.cloud.google.com/component: cnrm-webhook-manager
2501 cnrm.cloud.google.com/system: "true"
2502 spec:
2503 containers:
2504 - command:
2505 - /configconnector/webhook
2506 env:
2507 - name: NAMESPACE
2508 valueFrom:
2509 fieldRef:
2510 fieldPath: metadata.namespace
2511 image: gcr.io/cnrm-eap/webhook:2b4f8d7
2512 imagePullPolicy: Always
2513 name: webhook
2514 ports:
2515 - containerPort: 23232
2516 readinessProbe:
2517 httpGet:
2518 path: /ready
2519 port: 23232
2520 initialDelaySeconds: 7
2521 periodSeconds: 3
2522 resources:
2523 limits:
2524 memory: 128Mi
2525 requests:
2526 cpu: 250m
2527 memory: 128Mi
2528 securityContext:
2529 allowPrivilegeEscalation: false
2530 privileged: false
2531 runAsNonRoot: true
2532 runAsUser: 1000
2533 enableServiceLinks: false
2534 serviceAccountName: cnrm-webhook-manager
2535 terminationGracePeriodSeconds: 10
2536---
2537apiVersion: apps/v1
2538kind: StatefulSet
2539metadata:
2540 annotations:
2541 cnrm.cloud.google.com/version: 1.106.0
2542 labels:
2543 cnrm.cloud.google.com/component: cnrm-deletiondefender
2544 cnrm.cloud.google.com/system: "true"
2545 name: cnrm-deletiondefender
2546 namespace: cnrm-system
2547spec:
2548 selector:
2549 matchLabels:
2550 cnrm.cloud.google.com/component: cnrm-deletiondefender
2551 cnrm.cloud.google.com/system: "true"
2552 serviceName: cnrm-deletiondefender
2553 template:
2554 metadata:
2555 annotations:
2556 cnrm.cloud.google.com/version: 1.106.0
2557 labels:
2558 cnrm.cloud.google.com/component: cnrm-deletiondefender
2559 cnrm.cloud.google.com/system: "true"
2560 spec:
2561 containers:
2562 - command:
2563 - /configconnector/deletiondefender
2564 image: gcr.io/cnrm-eap/deletiondefender:2b4f8d7
2565 imagePullPolicy: Always
2566 name: deletiondefender
2567 ports:
2568 - containerPort: 23232
2569 readinessProbe:
2570 httpGet:
2571 path: /ready
2572 port: 23232
2573 initialDelaySeconds: 7
2574 periodSeconds: 3
2575 resources:
2576 limits:
2577 memory: 1Gi
2578 requests:
2579 cpu: 250m
2580 memory: 1Gi
2581 securityContext:
2582 allowPrivilegeEscalation: false
2583 privileged: false
2584 runAsNonRoot: true
2585 runAsUser: 1000
2586 enableServiceLinks: false
2587 serviceAccountName: cnrm-deletiondefender
2588 terminationGracePeriodSeconds: 10
2589---
2590apiVersion: apps/v1
2591kind: StatefulSet
2592metadata:
2593 annotations:
2594 cnrm.cloud.google.com/version: 1.106.0
2595 labels:
2596 cnrm.cloud.google.com/component: cnrm-unmanaged-detector
2597 cnrm.cloud.google.com/system: "true"
2598 name: cnrm-unmanaged-detector
2599 namespace: cnrm-system
2600spec:
2601 selector:
2602 matchLabels:
2603 cnrm.cloud.google.com/component: cnrm-unmanaged-detector
2604 cnrm.cloud.google.com/system: "true"
2605 serviceName: unmanaged-detector
2606 template:
2607 metadata:
2608 annotations:
2609 cnrm.cloud.google.com/version: 1.106.0
2610 labels:
2611 cnrm.cloud.google.com/component: cnrm-unmanaged-detector
2612 cnrm.cloud.google.com/system: "true"
2613 spec:
2614 containers:
2615 - command:
2616 - /configconnector/unmanageddetector
2617 image: gcr.io/cnrm-eap/unmanageddetector:2b4f8d7
2618 imagePullPolicy: Always
2619 name: unmanageddetector
2620 ports:
2621 - containerPort: 23232
2622 readinessProbe:
2623 httpGet:
2624 path: /ready
2625 port: 23232
2626 initialDelaySeconds: 7
2627 periodSeconds: 3
2628 resources:
2629 limits:
2630 memory: 1Gi
2631 requests:
2632 cpu: 250m
2633 memory: 512Mi
2634 securityContext:
2635 allowPrivilegeEscalation: false
2636 privileged: false
2637 runAsNonRoot: true
2638 runAsUser: 1000
2639 enableServiceLinks: false
2640 serviceAccountName: cnrm-unmanaged-detector
2641 terminationGracePeriodSeconds: 10
2642---
2643apiVersion: autoscaling/v1
2644kind: HorizontalPodAutoscaler
2645metadata:
2646 annotations:
2647 autoscaling.alpha.kubernetes.io/metrics: '[{"type":"Resource","resource":{"name":"memory","targetAverageUtilization":70}}]'
2648 cnrm.cloud.google.com/version: 1.106.0
2649 labels:
2650 cnrm.cloud.google.com/system: "true"
2651 name: cnrm-webhook
2652 namespace: cnrm-system
2653spec:
2654 maxReplicas: 20
2655 minReplicas: 2
2656 scaleTargetRef:
2657 apiVersion: apps/v1
2658 kind: Deployment
2659 name: cnrm-webhook-manager
2660 targetCPUUtilizationPercentage: 90
View as plain text