1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: v1
16kind: Namespace
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 labels:
21 cnrm.cloud.google.com/system: "true"
22 name: cnrm-system
23---
24apiVersion: v1
25kind: ServiceAccount
26metadata:
27 annotations:
28 cnrm.cloud.google.com/version: 1.106.0
29 labels:
30 cnrm.cloud.google.com/system: "true"
31 name: cnrm-controller-manager
32 namespace: cnrm-system
33---
34apiVersion: v1
35kind: ServiceAccount
36metadata:
37 annotations:
38 cnrm.cloud.google.com/version: 1.106.0
39 labels:
40 cnrm.cloud.google.com/system: "true"
41 name: cnrm-deletiondefender
42 namespace: cnrm-system
43---
44apiVersion: v1
45kind: ServiceAccount
46metadata:
47 annotations:
48 cnrm.cloud.google.com/version: 1.106.0
49 labels:
50 cnrm.cloud.google.com/system: "true"
51 name: cnrm-resource-stats-recorder
52 namespace: cnrm-system
53---
54apiVersion: v1
55kind: ServiceAccount
56metadata:
57 annotations:
58 cnrm.cloud.google.com/version: 1.106.0
59 labels:
60 cnrm.cloud.google.com/system: "true"
61 name: cnrm-webhook-manager
62 namespace: cnrm-system
63---
64apiVersion: rbac.authorization.k8s.io/v1
65kind: Role
66metadata:
67 annotations:
68 cnrm.cloud.google.com/version: 1.106.0
69 labels:
70 cnrm.cloud.google.com/system: "true"
71 name: cnrm-deletiondefender-cnrm-system-role
72 namespace: cnrm-system
73rules:
74- apiGroups:
75 - ""
76 resources:
77 - secrets
78 verbs:
79 - get
80 - create
81 - update
82 - patch
83 - delete
84---
85apiVersion: rbac.authorization.k8s.io/v1
86kind: Role
87metadata:
88 annotations:
89 cnrm.cloud.google.com/version: 1.106.0
90 labels:
91 cnrm.cloud.google.com/system: "true"
92 name: cnrm-webhook-cnrm-system-role
93 namespace: cnrm-system
94rules:
95- apiGroups:
96 - ""
97 resources:
98 - secrets
99 verbs:
100 - get
101 - create
102 - update
103 - patch
104 - delete
105---
106apiVersion: rbac.authorization.k8s.io/v1
107kind: ClusterRole
108metadata:
109 annotations:
110 cnrm.cloud.google.com/version: 1.106.0
111 creationTimestamp: null
112 labels:
113 cnrm.cloud.google.com/system: "true"
114 rbac.authorization.k8s.io/aggregate-to-admin: "true"
115 rbac.authorization.k8s.io/aggregate-to-edit: "true"
116 name: cnrm-admin
117rules:
118- apiGroups:
119 - accesscontextmanager.cnrm.cloud.google.com
120 resources:
121 - '*'
122 verbs:
123 - get
124 - list
125 - watch
126 - create
127 - update
128 - patch
129 - delete
130- apiGroups:
131 - alloydb.cnrm.cloud.google.com
132 resources:
133 - '*'
134 verbs:
135 - get
136 - list
137 - watch
138 - create
139 - update
140 - patch
141 - delete
142- apiGroups:
143 - apigateway.cnrm.cloud.google.com
144 resources:
145 - '*'
146 verbs:
147 - get
148 - list
149 - watch
150 - create
151 - update
152 - patch
153 - delete
154- apiGroups:
155 - apigee.cnrm.cloud.google.com
156 resources:
157 - '*'
158 verbs:
159 - get
160 - list
161 - watch
162 - create
163 - update
164 - patch
165 - delete
166- apiGroups:
167 - appengine.cnrm.cloud.google.com
168 resources:
169 - '*'
170 verbs:
171 - get
172 - list
173 - watch
174 - create
175 - update
176 - patch
177 - delete
178- apiGroups:
179 - artifactregistry.cnrm.cloud.google.com
180 resources:
181 - '*'
182 verbs:
183 - get
184 - list
185 - watch
186 - create
187 - update
188 - patch
189 - delete
190- apiGroups:
191 - beyondcorp.cnrm.cloud.google.com
192 resources:
193 - '*'
194 verbs:
195 - get
196 - list
197 - watch
198 - create
199 - update
200 - patch
201 - delete
202- apiGroups:
203 - bigquery.cnrm.cloud.google.com
204 resources:
205 - '*'
206 verbs:
207 - get
208 - list
209 - watch
210 - create
211 - update
212 - patch
213 - delete
214- apiGroups:
215 - bigqueryanalyticshub.cnrm.cloud.google.com
216 resources:
217 - '*'
218 verbs:
219 - get
220 - list
221 - watch
222 - create
223 - update
224 - patch
225 - delete
226- apiGroups:
227 - bigqueryconnection.cnrm.cloud.google.com
228 resources:
229 - '*'
230 verbs:
231 - get
232 - list
233 - watch
234 - create
235 - update
236 - patch
237 - delete
238- apiGroups:
239 - bigquerydatapolicy.cnrm.cloud.google.com
240 resources:
241 - '*'
242 verbs:
243 - get
244 - list
245 - watch
246 - create
247 - update
248 - patch
249 - delete
250- apiGroups:
251 - bigquerydatatransfer.cnrm.cloud.google.com
252 resources:
253 - '*'
254 verbs:
255 - get
256 - list
257 - watch
258 - create
259 - update
260 - patch
261 - delete
262- apiGroups:
263 - bigqueryreservation.cnrm.cloud.google.com
264 resources:
265 - '*'
266 verbs:
267 - get
268 - list
269 - watch
270 - create
271 - update
272 - patch
273 - delete
274- apiGroups:
275 - bigtable.cnrm.cloud.google.com
276 resources:
277 - '*'
278 verbs:
279 - get
280 - list
281 - watch
282 - create
283 - update
284 - patch
285 - delete
286- apiGroups:
287 - billingbudgets.cnrm.cloud.google.com
288 resources:
289 - '*'
290 verbs:
291 - get
292 - list
293 - watch
294 - create
295 - update
296 - patch
297 - delete
298- apiGroups:
299 - binaryauthorization.cnrm.cloud.google.com
300 resources:
301 - '*'
302 verbs:
303 - get
304 - list
305 - watch
306 - create
307 - update
308 - patch
309 - delete
310- apiGroups:
311 - certificatemanager.cnrm.cloud.google.com
312 resources:
313 - '*'
314 verbs:
315 - get
316 - list
317 - watch
318 - create
319 - update
320 - patch
321 - delete
322- apiGroups:
323 - cloudasset.cnrm.cloud.google.com
324 resources:
325 - '*'
326 verbs:
327 - get
328 - list
329 - watch
330 - create
331 - update
332 - patch
333 - delete
334- apiGroups:
335 - cloudbuild.cnrm.cloud.google.com
336 resources:
337 - '*'
338 verbs:
339 - get
340 - list
341 - watch
342 - create
343 - update
344 - patch
345 - delete
346- apiGroups:
347 - cloudfunctions.cnrm.cloud.google.com
348 resources:
349 - '*'
350 verbs:
351 - get
352 - list
353 - watch
354 - create
355 - update
356 - patch
357 - delete
358- apiGroups:
359 - cloudfunctions2.cnrm.cloud.google.com
360 resources:
361 - '*'
362 verbs:
363 - get
364 - list
365 - watch
366 - create
367 - update
368 - patch
369 - delete
370- apiGroups:
371 - cloudidentity.cnrm.cloud.google.com
372 resources:
373 - '*'
374 verbs:
375 - get
376 - list
377 - watch
378 - create
379 - update
380 - patch
381 - delete
382- apiGroups:
383 - cloudids.cnrm.cloud.google.com
384 resources:
385 - '*'
386 verbs:
387 - get
388 - list
389 - watch
390 - create
391 - update
392 - patch
393 - delete
394- apiGroups:
395 - cloudiot.cnrm.cloud.google.com
396 resources:
397 - '*'
398 verbs:
399 - get
400 - list
401 - watch
402 - create
403 - update
404 - patch
405 - delete
406- apiGroups:
407 - cloudscheduler.cnrm.cloud.google.com
408 resources:
409 - '*'
410 verbs:
411 - get
412 - list
413 - watch
414 - create
415 - update
416 - patch
417 - delete
418- apiGroups:
419 - cloudtasks.cnrm.cloud.google.com
420 resources:
421 - '*'
422 verbs:
423 - get
424 - list
425 - watch
426 - create
427 - update
428 - patch
429 - delete
430- apiGroups:
431 - compute.cnrm.cloud.google.com
432 resources:
433 - '*'
434 verbs:
435 - get
436 - list
437 - watch
438 - create
439 - update
440 - patch
441 - delete
442- apiGroups:
443 - configcontroller.cnrm.cloud.google.com
444 resources:
445 - '*'
446 verbs:
447 - get
448 - list
449 - watch
450 - create
451 - update
452 - patch
453 - delete
454- apiGroups:
455 - container.cnrm.cloud.google.com
456 resources:
457 - '*'
458 verbs:
459 - get
460 - list
461 - watch
462 - create
463 - update
464 - patch
465 - delete
466- apiGroups:
467 - containeranalysis.cnrm.cloud.google.com
468 resources:
469 - '*'
470 verbs:
471 - get
472 - list
473 - watch
474 - create
475 - update
476 - patch
477 - delete
478- apiGroups:
479 - datacatalog.cnrm.cloud.google.com
480 resources:
481 - '*'
482 verbs:
483 - get
484 - list
485 - watch
486 - create
487 - update
488 - patch
489 - delete
490- apiGroups:
491 - dataflow.cnrm.cloud.google.com
492 resources:
493 - '*'
494 verbs:
495 - get
496 - list
497 - watch
498 - create
499 - update
500 - patch
501 - delete
502- apiGroups:
503 - dataform.cnrm.cloud.google.com
504 resources:
505 - '*'
506 verbs:
507 - get
508 - list
509 - watch
510 - create
511 - update
512 - patch
513 - delete
514- apiGroups:
515 - datafusion.cnrm.cloud.google.com
516 resources:
517 - '*'
518 verbs:
519 - get
520 - list
521 - watch
522 - create
523 - update
524 - patch
525 - delete
526- apiGroups:
527 - dataproc.cnrm.cloud.google.com
528 resources:
529 - '*'
530 verbs:
531 - get
532 - list
533 - watch
534 - create
535 - update
536 - patch
537 - delete
538- apiGroups:
539 - datastore.cnrm.cloud.google.com
540 resources:
541 - '*'
542 verbs:
543 - get
544 - list
545 - watch
546 - create
547 - update
548 - patch
549 - delete
550- apiGroups:
551 - datastream.cnrm.cloud.google.com
552 resources:
553 - '*'
554 verbs:
555 - get
556 - list
557 - watch
558 - create
559 - update
560 - patch
561 - delete
562- apiGroups:
563 - deploymentmanager.cnrm.cloud.google.com
564 resources:
565 - '*'
566 verbs:
567 - get
568 - list
569 - watch
570 - create
571 - update
572 - patch
573 - delete
574- apiGroups:
575 - dialogflow.cnrm.cloud.google.com
576 resources:
577 - '*'
578 verbs:
579 - get
580 - list
581 - watch
582 - create
583 - update
584 - patch
585 - delete
586- apiGroups:
587 - dialogflowcx.cnrm.cloud.google.com
588 resources:
589 - '*'
590 verbs:
591 - get
592 - list
593 - watch
594 - create
595 - update
596 - patch
597 - delete
598- apiGroups:
599 - dlp.cnrm.cloud.google.com
600 resources:
601 - '*'
602 verbs:
603 - get
604 - list
605 - watch
606 - create
607 - update
608 - patch
609 - delete
610- apiGroups:
611 - dns.cnrm.cloud.google.com
612 resources:
613 - '*'
614 verbs:
615 - get
616 - list
617 - watch
618 - create
619 - update
620 - patch
621 - delete
622- apiGroups:
623 - documentai.cnrm.cloud.google.com
624 resources:
625 - '*'
626 verbs:
627 - get
628 - list
629 - watch
630 - create
631 - update
632 - patch
633 - delete
634- apiGroups:
635 - essentialcontacts.cnrm.cloud.google.com
636 resources:
637 - '*'
638 verbs:
639 - get
640 - list
641 - watch
642 - create
643 - update
644 - patch
645 - delete
646- apiGroups:
647 - eventarc.cnrm.cloud.google.com
648 resources:
649 - '*'
650 verbs:
651 - get
652 - list
653 - watch
654 - create
655 - update
656 - patch
657 - delete
658- apiGroups:
659 - filestore.cnrm.cloud.google.com
660 resources:
661 - '*'
662 verbs:
663 - get
664 - list
665 - watch
666 - create
667 - update
668 - patch
669 - delete
670- apiGroups:
671 - firebase.cnrm.cloud.google.com
672 resources:
673 - '*'
674 verbs:
675 - get
676 - list
677 - watch
678 - create
679 - update
680 - patch
681 - delete
682- apiGroups:
683 - firebasedatabase.cnrm.cloud.google.com
684 resources:
685 - '*'
686 verbs:
687 - get
688 - list
689 - watch
690 - create
691 - update
692 - patch
693 - delete
694- apiGroups:
695 - firebasehosting.cnrm.cloud.google.com
696 resources:
697 - '*'
698 verbs:
699 - get
700 - list
701 - watch
702 - create
703 - update
704 - patch
705 - delete
706- apiGroups:
707 - firebasestorage.cnrm.cloud.google.com
708 resources:
709 - '*'
710 verbs:
711 - get
712 - list
713 - watch
714 - create
715 - update
716 - patch
717 - delete
718- apiGroups:
719 - firestore.cnrm.cloud.google.com
720 resources:
721 - '*'
722 verbs:
723 - get
724 - list
725 - watch
726 - create
727 - update
728 - patch
729 - delete
730- apiGroups:
731 - gkebackup.cnrm.cloud.google.com
732 resources:
733 - '*'
734 verbs:
735 - get
736 - list
737 - watch
738 - create
739 - update
740 - patch
741 - delete
742- apiGroups:
743 - gkehub.cnrm.cloud.google.com
744 resources:
745 - '*'
746 verbs:
747 - get
748 - list
749 - watch
750 - create
751 - update
752 - patch
753 - delete
754- apiGroups:
755 - healthcare.cnrm.cloud.google.com
756 resources:
757 - '*'
758 verbs:
759 - get
760 - list
761 - watch
762 - create
763 - update
764 - patch
765 - delete
766- apiGroups:
767 - iam.cnrm.cloud.google.com
768 resources:
769 - '*'
770 verbs:
771 - get
772 - list
773 - watch
774 - create
775 - update
776 - patch
777 - delete
778- apiGroups:
779 - iap.cnrm.cloud.google.com
780 resources:
781 - '*'
782 verbs:
783 - get
784 - list
785 - watch
786 - create
787 - update
788 - patch
789 - delete
790- apiGroups:
791 - identityplatform.cnrm.cloud.google.com
792 resources:
793 - '*'
794 verbs:
795 - get
796 - list
797 - watch
798 - create
799 - update
800 - patch
801 - delete
802- apiGroups:
803 - kms.cnrm.cloud.google.com
804 resources:
805 - '*'
806 verbs:
807 - get
808 - list
809 - watch
810 - create
811 - update
812 - patch
813 - delete
814- apiGroups:
815 - logging.cnrm.cloud.google.com
816 resources:
817 - '*'
818 verbs:
819 - get
820 - list
821 - watch
822 - create
823 - update
824 - patch
825 - delete
826- apiGroups:
827 - memcache.cnrm.cloud.google.com
828 resources:
829 - '*'
830 verbs:
831 - get
832 - list
833 - watch
834 - create
835 - update
836 - patch
837 - delete
838- apiGroups:
839 - mlengine.cnrm.cloud.google.com
840 resources:
841 - '*'
842 verbs:
843 - get
844 - list
845 - watch
846 - create
847 - update
848 - patch
849 - delete
850- apiGroups:
851 - monitoring.cnrm.cloud.google.com
852 resources:
853 - '*'
854 verbs:
855 - get
856 - list
857 - watch
858 - create
859 - update
860 - patch
861 - delete
862- apiGroups:
863 - networkconnectivity.cnrm.cloud.google.com
864 resources:
865 - '*'
866 verbs:
867 - get
868 - list
869 - watch
870 - create
871 - update
872 - patch
873 - delete
874- apiGroups:
875 - networkmanagement.cnrm.cloud.google.com
876 resources:
877 - '*'
878 verbs:
879 - get
880 - list
881 - watch
882 - create
883 - update
884 - patch
885 - delete
886- apiGroups:
887 - networksecurity.cnrm.cloud.google.com
888 resources:
889 - '*'
890 verbs:
891 - get
892 - list
893 - watch
894 - create
895 - update
896 - patch
897 - delete
898- apiGroups:
899 - networkservices.cnrm.cloud.google.com
900 resources:
901 - '*'
902 verbs:
903 - get
904 - list
905 - watch
906 - create
907 - update
908 - patch
909 - delete
910- apiGroups:
911 - notebooks.cnrm.cloud.google.com
912 resources:
913 - '*'
914 verbs:
915 - get
916 - list
917 - watch
918 - create
919 - update
920 - patch
921 - delete
922- apiGroups:
923 - orgpolicy.cnrm.cloud.google.com
924 resources:
925 - '*'
926 verbs:
927 - get
928 - list
929 - watch
930 - create
931 - update
932 - patch
933 - delete
934- apiGroups:
935 - osconfig.cnrm.cloud.google.com
936 resources:
937 - '*'
938 verbs:
939 - get
940 - list
941 - watch
942 - create
943 - update
944 - patch
945 - delete
946- apiGroups:
947 - oslogin.cnrm.cloud.google.com
948 resources:
949 - '*'
950 verbs:
951 - get
952 - list
953 - watch
954 - create
955 - update
956 - patch
957 - delete
958- apiGroups:
959 - privateca.cnrm.cloud.google.com
960 resources:
961 - '*'
962 verbs:
963 - get
964 - list
965 - watch
966 - create
967 - update
968 - patch
969 - delete
970- apiGroups:
971 - pubsub.cnrm.cloud.google.com
972 resources:
973 - '*'
974 verbs:
975 - get
976 - list
977 - watch
978 - create
979 - update
980 - patch
981 - delete
982- apiGroups:
983 - pubsublite.cnrm.cloud.google.com
984 resources:
985 - '*'
986 verbs:
987 - get
988 - list
989 - watch
990 - create
991 - update
992 - patch
993 - delete
994- apiGroups:
995 - recaptchaenterprise.cnrm.cloud.google.com
996 resources:
997 - '*'
998 verbs:
999 - get
1000 - list
1001 - watch
1002 - create
1003 - update
1004 - patch
1005 - delete
1006- apiGroups:
1007 - redis.cnrm.cloud.google.com
1008 resources:
1009 - '*'
1010 verbs:
1011 - get
1012 - list
1013 - watch
1014 - create
1015 - update
1016 - patch
1017 - delete
1018- apiGroups:
1019 - resourcemanager.cnrm.cloud.google.com
1020 resources:
1021 - '*'
1022 verbs:
1023 - get
1024 - list
1025 - watch
1026 - create
1027 - update
1028 - patch
1029 - delete
1030- apiGroups:
1031 - run.cnrm.cloud.google.com
1032 resources:
1033 - '*'
1034 verbs:
1035 - get
1036 - list
1037 - watch
1038 - create
1039 - update
1040 - patch
1041 - delete
1042- apiGroups:
1043 - secretmanager.cnrm.cloud.google.com
1044 resources:
1045 - '*'
1046 verbs:
1047 - get
1048 - list
1049 - watch
1050 - create
1051 - update
1052 - patch
1053 - delete
1054- apiGroups:
1055 - securitycenter.cnrm.cloud.google.com
1056 resources:
1057 - '*'
1058 verbs:
1059 - get
1060 - list
1061 - watch
1062 - create
1063 - update
1064 - patch
1065 - delete
1066- apiGroups:
1067 - servicedirectory.cnrm.cloud.google.com
1068 resources:
1069 - '*'
1070 verbs:
1071 - get
1072 - list
1073 - watch
1074 - create
1075 - update
1076 - patch
1077 - delete
1078- apiGroups:
1079 - servicenetworking.cnrm.cloud.google.com
1080 resources:
1081 - '*'
1082 verbs:
1083 - get
1084 - list
1085 - watch
1086 - create
1087 - update
1088 - patch
1089 - delete
1090- apiGroups:
1091 - serviceusage.cnrm.cloud.google.com
1092 resources:
1093 - '*'
1094 verbs:
1095 - get
1096 - list
1097 - watch
1098 - create
1099 - update
1100 - patch
1101 - delete
1102- apiGroups:
1103 - sourcerepo.cnrm.cloud.google.com
1104 resources:
1105 - '*'
1106 verbs:
1107 - get
1108 - list
1109 - watch
1110 - create
1111 - update
1112 - patch
1113 - delete
1114- apiGroups:
1115 - spanner.cnrm.cloud.google.com
1116 resources:
1117 - '*'
1118 verbs:
1119 - get
1120 - list
1121 - watch
1122 - create
1123 - update
1124 - patch
1125 - delete
1126- apiGroups:
1127 - sql.cnrm.cloud.google.com
1128 resources:
1129 - '*'
1130 verbs:
1131 - get
1132 - list
1133 - watch
1134 - create
1135 - update
1136 - patch
1137 - delete
1138- apiGroups:
1139 - storage.cnrm.cloud.google.com
1140 resources:
1141 - '*'
1142 verbs:
1143 - get
1144 - list
1145 - watch
1146 - create
1147 - update
1148 - patch
1149 - delete
1150- apiGroups:
1151 - storagetransfer.cnrm.cloud.google.com
1152 resources:
1153 - '*'
1154 verbs:
1155 - get
1156 - list
1157 - watch
1158 - create
1159 - update
1160 - patch
1161 - delete
1162- apiGroups:
1163 - tags.cnrm.cloud.google.com
1164 resources:
1165 - '*'
1166 verbs:
1167 - get
1168 - list
1169 - watch
1170 - create
1171 - update
1172 - patch
1173 - delete
1174- apiGroups:
1175 - tpu.cnrm.cloud.google.com
1176 resources:
1177 - '*'
1178 verbs:
1179 - get
1180 - list
1181 - watch
1182 - create
1183 - update
1184 - patch
1185 - delete
1186- apiGroups:
1187 - vertexai.cnrm.cloud.google.com
1188 resources:
1189 - '*'
1190 verbs:
1191 - get
1192 - list
1193 - watch
1194 - create
1195 - update
1196 - patch
1197 - delete
1198- apiGroups:
1199 - vpcaccess.cnrm.cloud.google.com
1200 resources:
1201 - '*'
1202 verbs:
1203 - get
1204 - list
1205 - watch
1206 - create
1207 - update
1208 - patch
1209 - delete
1210- apiGroups:
1211 - workflows.cnrm.cloud.google.com
1212 resources:
1213 - '*'
1214 verbs:
1215 - get
1216 - list
1217 - watch
1218 - create
1219 - update
1220 - patch
1221 - delete
1222- apiGroups:
1223 - workstations.cnrm.cloud.google.com
1224 resources:
1225 - '*'
1226 verbs:
1227 - get
1228 - list
1229 - watch
1230 - create
1231 - update
1232 - patch
1233 - delete
1234---
1235apiVersion: rbac.authorization.k8s.io/v1
1236kind: ClusterRole
1237metadata:
1238 annotations:
1239 cnrm.cloud.google.com/version: 1.106.0
1240 labels:
1241 cnrm.cloud.google.com/system: "true"
1242 name: cnrm-deletiondefender-role
1243rules:
1244- apiGroups:
1245 - apiextensions.k8s.io
1246 resources:
1247 - customresourcedefinitions
1248 verbs:
1249 - get
1250 - list
1251 - watch
1252- apiGroups:
1253 - ""
1254 resources:
1255 - namespaces
1256 verbs:
1257 - get
1258 - list
1259 - watch
1260- apiGroups:
1261 - admissionregistration.k8s.io
1262 resources:
1263 - validatingwebhookconfigurations
1264 verbs:
1265 - get
1266 - list
1267 - watch
1268 - create
1269 - update
1270 - patch
1271 - delete
1272- apiGroups:
1273 - ""
1274 resources:
1275 - services
1276 verbs:
1277 - get
1278 - list
1279 - watch
1280 - create
1281 - update
1282 - patch
1283 - delete
1284---
1285apiVersion: rbac.authorization.k8s.io/v1
1286kind: ClusterRole
1287metadata:
1288 annotations:
1289 cnrm.cloud.google.com/version: 1.106.0
1290 labels:
1291 cnrm.cloud.google.com/system: "true"
1292 name: cnrm-manager-cluster-role
1293rules:
1294- apiGroups:
1295 - apiextensions.k8s.io
1296 resources:
1297 - customresourcedefinitions
1298 verbs:
1299 - get
1300 - list
1301 - watch
1302- apiGroups:
1303 - ""
1304 resources:
1305 - namespaces
1306 verbs:
1307 - get
1308 - list
1309 - watch
1310- apiGroups:
1311 - admissionregistration.k8s.io
1312 resources:
1313 - validatingwebhookconfigurations
1314 verbs:
1315 - get
1316 - list
1317 - watch
1318 - create
1319 - update
1320 - patch
1321 - delete
1322- apiGroups:
1323 - core.cnrm.cloud.google.com
1324 resources:
1325 - servicemappings
1326 verbs:
1327 - get
1328 - list
1329 - watch
1330- apiGroups:
1331 - core.cnrm.cloud.google.com
1332 resources:
1333 - '*'
1334 verbs:
1335 - get
1336 - list
1337 - watch
1338 - create
1339 - update
1340 - patch
1341 - delete
1342---
1343apiVersion: rbac.authorization.k8s.io/v1
1344kind: ClusterRole
1345metadata:
1346 annotations:
1347 cnrm.cloud.google.com/version: 1.106.0
1348 labels:
1349 cnrm.cloud.google.com/system: "true"
1350 name: cnrm-manager-ns-role
1351rules:
1352- apiGroups:
1353 - ""
1354 resources:
1355 - events
1356 - configmaps
1357 - secrets
1358 - services
1359 verbs:
1360 - get
1361 - list
1362 - watch
1363 - create
1364 - update
1365 - patch
1366 - delete
1367---
1368apiVersion: rbac.authorization.k8s.io/v1
1369kind: ClusterRole
1370metadata:
1371 annotations:
1372 cnrm.cloud.google.com/version: 1.106.0
1373 labels:
1374 cnrm.cloud.google.com/system: "true"
1375 name: cnrm-recorder-role
1376rules:
1377- apiGroups:
1378 - ""
1379 resources:
1380 - namespaces
1381 verbs:
1382 - get
1383 - list
1384 - watch
1385- apiGroups:
1386 - apiextensions.k8s.io
1387 resources:
1388 - customresourcedefinitions
1389 verbs:
1390 - get
1391 - list
1392 - watch
1393 - create
1394 - update
1395 - patch
1396 - delete
1397---
1398apiVersion: rbac.authorization.k8s.io/v1
1399kind: ClusterRole
1400metadata:
1401 annotations:
1402 cnrm.cloud.google.com/version: 1.106.0
1403 creationTimestamp: null
1404 labels:
1405 cnrm.cloud.google.com/system: "true"
1406 rbac.authorization.k8s.io/aggregate-to-view: "true"
1407 name: cnrm-viewer
1408rules:
1409- apiGroups:
1410 - accesscontextmanager.cnrm.cloud.google.com
1411 resources:
1412 - '*'
1413 verbs:
1414 - get
1415 - list
1416 - watch
1417- apiGroups:
1418 - alloydb.cnrm.cloud.google.com
1419 resources:
1420 - '*'
1421 verbs:
1422 - get
1423 - list
1424 - watch
1425- apiGroups:
1426 - apigateway.cnrm.cloud.google.com
1427 resources:
1428 - '*'
1429 verbs:
1430 - get
1431 - list
1432 - watch
1433- apiGroups:
1434 - apigee.cnrm.cloud.google.com
1435 resources:
1436 - '*'
1437 verbs:
1438 - get
1439 - list
1440 - watch
1441- apiGroups:
1442 - appengine.cnrm.cloud.google.com
1443 resources:
1444 - '*'
1445 verbs:
1446 - get
1447 - list
1448 - watch
1449- apiGroups:
1450 - artifactregistry.cnrm.cloud.google.com
1451 resources:
1452 - '*'
1453 verbs:
1454 - get
1455 - list
1456 - watch
1457- apiGroups:
1458 - beyondcorp.cnrm.cloud.google.com
1459 resources:
1460 - '*'
1461 verbs:
1462 - get
1463 - list
1464 - watch
1465- apiGroups:
1466 - bigquery.cnrm.cloud.google.com
1467 resources:
1468 - '*'
1469 verbs:
1470 - get
1471 - list
1472 - watch
1473- apiGroups:
1474 - bigqueryanalyticshub.cnrm.cloud.google.com
1475 resources:
1476 - '*'
1477 verbs:
1478 - get
1479 - list
1480 - watch
1481- apiGroups:
1482 - bigqueryconnection.cnrm.cloud.google.com
1483 resources:
1484 - '*'
1485 verbs:
1486 - get
1487 - list
1488 - watch
1489- apiGroups:
1490 - bigquerydatapolicy.cnrm.cloud.google.com
1491 resources:
1492 - '*'
1493 verbs:
1494 - get
1495 - list
1496 - watch
1497- apiGroups:
1498 - bigquerydatatransfer.cnrm.cloud.google.com
1499 resources:
1500 - '*'
1501 verbs:
1502 - get
1503 - list
1504 - watch
1505- apiGroups:
1506 - bigqueryreservation.cnrm.cloud.google.com
1507 resources:
1508 - '*'
1509 verbs:
1510 - get
1511 - list
1512 - watch
1513- apiGroups:
1514 - bigtable.cnrm.cloud.google.com
1515 resources:
1516 - '*'
1517 verbs:
1518 - get
1519 - list
1520 - watch
1521- apiGroups:
1522 - billingbudgets.cnrm.cloud.google.com
1523 resources:
1524 - '*'
1525 verbs:
1526 - get
1527 - list
1528 - watch
1529- apiGroups:
1530 - binaryauthorization.cnrm.cloud.google.com
1531 resources:
1532 - '*'
1533 verbs:
1534 - get
1535 - list
1536 - watch
1537- apiGroups:
1538 - certificatemanager.cnrm.cloud.google.com
1539 resources:
1540 - '*'
1541 verbs:
1542 - get
1543 - list
1544 - watch
1545- apiGroups:
1546 - cloudasset.cnrm.cloud.google.com
1547 resources:
1548 - '*'
1549 verbs:
1550 - get
1551 - list
1552 - watch
1553- apiGroups:
1554 - cloudbuild.cnrm.cloud.google.com
1555 resources:
1556 - '*'
1557 verbs:
1558 - get
1559 - list
1560 - watch
1561- apiGroups:
1562 - cloudfunctions.cnrm.cloud.google.com
1563 resources:
1564 - '*'
1565 verbs:
1566 - get
1567 - list
1568 - watch
1569- apiGroups:
1570 - cloudfunctions2.cnrm.cloud.google.com
1571 resources:
1572 - '*'
1573 verbs:
1574 - get
1575 - list
1576 - watch
1577- apiGroups:
1578 - cloudidentity.cnrm.cloud.google.com
1579 resources:
1580 - '*'
1581 verbs:
1582 - get
1583 - list
1584 - watch
1585- apiGroups:
1586 - cloudids.cnrm.cloud.google.com
1587 resources:
1588 - '*'
1589 verbs:
1590 - get
1591 - list
1592 - watch
1593- apiGroups:
1594 - cloudiot.cnrm.cloud.google.com
1595 resources:
1596 - '*'
1597 verbs:
1598 - get
1599 - list
1600 - watch
1601- apiGroups:
1602 - cloudscheduler.cnrm.cloud.google.com
1603 resources:
1604 - '*'
1605 verbs:
1606 - get
1607 - list
1608 - watch
1609- apiGroups:
1610 - cloudtasks.cnrm.cloud.google.com
1611 resources:
1612 - '*'
1613 verbs:
1614 - get
1615 - list
1616 - watch
1617- apiGroups:
1618 - compute.cnrm.cloud.google.com
1619 resources:
1620 - '*'
1621 verbs:
1622 - get
1623 - list
1624 - watch
1625- apiGroups:
1626 - configcontroller.cnrm.cloud.google.com
1627 resources:
1628 - '*'
1629 verbs:
1630 - get
1631 - list
1632 - watch
1633- apiGroups:
1634 - container.cnrm.cloud.google.com
1635 resources:
1636 - '*'
1637 verbs:
1638 - get
1639 - list
1640 - watch
1641- apiGroups:
1642 - containeranalysis.cnrm.cloud.google.com
1643 resources:
1644 - '*'
1645 verbs:
1646 - get
1647 - list
1648 - watch
1649- apiGroups:
1650 - datacatalog.cnrm.cloud.google.com
1651 resources:
1652 - '*'
1653 verbs:
1654 - get
1655 - list
1656 - watch
1657- apiGroups:
1658 - dataflow.cnrm.cloud.google.com
1659 resources:
1660 - '*'
1661 verbs:
1662 - get
1663 - list
1664 - watch
1665- apiGroups:
1666 - dataform.cnrm.cloud.google.com
1667 resources:
1668 - '*'
1669 verbs:
1670 - get
1671 - list
1672 - watch
1673- apiGroups:
1674 - datafusion.cnrm.cloud.google.com
1675 resources:
1676 - '*'
1677 verbs:
1678 - get
1679 - list
1680 - watch
1681- apiGroups:
1682 - dataproc.cnrm.cloud.google.com
1683 resources:
1684 - '*'
1685 verbs:
1686 - get
1687 - list
1688 - watch
1689- apiGroups:
1690 - datastore.cnrm.cloud.google.com
1691 resources:
1692 - '*'
1693 verbs:
1694 - get
1695 - list
1696 - watch
1697- apiGroups:
1698 - datastream.cnrm.cloud.google.com
1699 resources:
1700 - '*'
1701 verbs:
1702 - get
1703 - list
1704 - watch
1705- apiGroups:
1706 - deploymentmanager.cnrm.cloud.google.com
1707 resources:
1708 - '*'
1709 verbs:
1710 - get
1711 - list
1712 - watch
1713- apiGroups:
1714 - dialogflow.cnrm.cloud.google.com
1715 resources:
1716 - '*'
1717 verbs:
1718 - get
1719 - list
1720 - watch
1721- apiGroups:
1722 - dialogflowcx.cnrm.cloud.google.com
1723 resources:
1724 - '*'
1725 verbs:
1726 - get
1727 - list
1728 - watch
1729- apiGroups:
1730 - dlp.cnrm.cloud.google.com
1731 resources:
1732 - '*'
1733 verbs:
1734 - get
1735 - list
1736 - watch
1737- apiGroups:
1738 - dns.cnrm.cloud.google.com
1739 resources:
1740 - '*'
1741 verbs:
1742 - get
1743 - list
1744 - watch
1745- apiGroups:
1746 - documentai.cnrm.cloud.google.com
1747 resources:
1748 - '*'
1749 verbs:
1750 - get
1751 - list
1752 - watch
1753- apiGroups:
1754 - essentialcontacts.cnrm.cloud.google.com
1755 resources:
1756 - '*'
1757 verbs:
1758 - get
1759 - list
1760 - watch
1761- apiGroups:
1762 - eventarc.cnrm.cloud.google.com
1763 resources:
1764 - '*'
1765 verbs:
1766 - get
1767 - list
1768 - watch
1769- apiGroups:
1770 - filestore.cnrm.cloud.google.com
1771 resources:
1772 - '*'
1773 verbs:
1774 - get
1775 - list
1776 - watch
1777- apiGroups:
1778 - firebase.cnrm.cloud.google.com
1779 resources:
1780 - '*'
1781 verbs:
1782 - get
1783 - list
1784 - watch
1785- apiGroups:
1786 - firebasedatabase.cnrm.cloud.google.com
1787 resources:
1788 - '*'
1789 verbs:
1790 - get
1791 - list
1792 - watch
1793- apiGroups:
1794 - firebasehosting.cnrm.cloud.google.com
1795 resources:
1796 - '*'
1797 verbs:
1798 - get
1799 - list
1800 - watch
1801- apiGroups:
1802 - firebasestorage.cnrm.cloud.google.com
1803 resources:
1804 - '*'
1805 verbs:
1806 - get
1807 - list
1808 - watch
1809- apiGroups:
1810 - firestore.cnrm.cloud.google.com
1811 resources:
1812 - '*'
1813 verbs:
1814 - get
1815 - list
1816 - watch
1817- apiGroups:
1818 - gkebackup.cnrm.cloud.google.com
1819 resources:
1820 - '*'
1821 verbs:
1822 - get
1823 - list
1824 - watch
1825- apiGroups:
1826 - gkehub.cnrm.cloud.google.com
1827 resources:
1828 - '*'
1829 verbs:
1830 - get
1831 - list
1832 - watch
1833- apiGroups:
1834 - healthcare.cnrm.cloud.google.com
1835 resources:
1836 - '*'
1837 verbs:
1838 - get
1839 - list
1840 - watch
1841- apiGroups:
1842 - iam.cnrm.cloud.google.com
1843 resources:
1844 - '*'
1845 verbs:
1846 - get
1847 - list
1848 - watch
1849- apiGroups:
1850 - iap.cnrm.cloud.google.com
1851 resources:
1852 - '*'
1853 verbs:
1854 - get
1855 - list
1856 - watch
1857- apiGroups:
1858 - identityplatform.cnrm.cloud.google.com
1859 resources:
1860 - '*'
1861 verbs:
1862 - get
1863 - list
1864 - watch
1865- apiGroups:
1866 - kms.cnrm.cloud.google.com
1867 resources:
1868 - '*'
1869 verbs:
1870 - get
1871 - list
1872 - watch
1873- apiGroups:
1874 - logging.cnrm.cloud.google.com
1875 resources:
1876 - '*'
1877 verbs:
1878 - get
1879 - list
1880 - watch
1881- apiGroups:
1882 - memcache.cnrm.cloud.google.com
1883 resources:
1884 - '*'
1885 verbs:
1886 - get
1887 - list
1888 - watch
1889- apiGroups:
1890 - mlengine.cnrm.cloud.google.com
1891 resources:
1892 - '*'
1893 verbs:
1894 - get
1895 - list
1896 - watch
1897- apiGroups:
1898 - monitoring.cnrm.cloud.google.com
1899 resources:
1900 - '*'
1901 verbs:
1902 - get
1903 - list
1904 - watch
1905- apiGroups:
1906 - networkconnectivity.cnrm.cloud.google.com
1907 resources:
1908 - '*'
1909 verbs:
1910 - get
1911 - list
1912 - watch
1913- apiGroups:
1914 - networkmanagement.cnrm.cloud.google.com
1915 resources:
1916 - '*'
1917 verbs:
1918 - get
1919 - list
1920 - watch
1921- apiGroups:
1922 - networksecurity.cnrm.cloud.google.com
1923 resources:
1924 - '*'
1925 verbs:
1926 - get
1927 - list
1928 - watch
1929- apiGroups:
1930 - networkservices.cnrm.cloud.google.com
1931 resources:
1932 - '*'
1933 verbs:
1934 - get
1935 - list
1936 - watch
1937- apiGroups:
1938 - notebooks.cnrm.cloud.google.com
1939 resources:
1940 - '*'
1941 verbs:
1942 - get
1943 - list
1944 - watch
1945- apiGroups:
1946 - orgpolicy.cnrm.cloud.google.com
1947 resources:
1948 - '*'
1949 verbs:
1950 - get
1951 - list
1952 - watch
1953- apiGroups:
1954 - osconfig.cnrm.cloud.google.com
1955 resources:
1956 - '*'
1957 verbs:
1958 - get
1959 - list
1960 - watch
1961- apiGroups:
1962 - oslogin.cnrm.cloud.google.com
1963 resources:
1964 - '*'
1965 verbs:
1966 - get
1967 - list
1968 - watch
1969- apiGroups:
1970 - privateca.cnrm.cloud.google.com
1971 resources:
1972 - '*'
1973 verbs:
1974 - get
1975 - list
1976 - watch
1977- apiGroups:
1978 - pubsub.cnrm.cloud.google.com
1979 resources:
1980 - '*'
1981 verbs:
1982 - get
1983 - list
1984 - watch
1985- apiGroups:
1986 - pubsublite.cnrm.cloud.google.com
1987 resources:
1988 - '*'
1989 verbs:
1990 - get
1991 - list
1992 - watch
1993- apiGroups:
1994 - recaptchaenterprise.cnrm.cloud.google.com
1995 resources:
1996 - '*'
1997 verbs:
1998 - get
1999 - list
2000 - watch
2001- apiGroups:
2002 - redis.cnrm.cloud.google.com
2003 resources:
2004 - '*'
2005 verbs:
2006 - get
2007 - list
2008 - watch
2009- apiGroups:
2010 - resourcemanager.cnrm.cloud.google.com
2011 resources:
2012 - '*'
2013 verbs:
2014 - get
2015 - list
2016 - watch
2017- apiGroups:
2018 - run.cnrm.cloud.google.com
2019 resources:
2020 - '*'
2021 verbs:
2022 - get
2023 - list
2024 - watch
2025- apiGroups:
2026 - secretmanager.cnrm.cloud.google.com
2027 resources:
2028 - '*'
2029 verbs:
2030 - get
2031 - list
2032 - watch
2033- apiGroups:
2034 - securitycenter.cnrm.cloud.google.com
2035 resources:
2036 - '*'
2037 verbs:
2038 - get
2039 - list
2040 - watch
2041- apiGroups:
2042 - servicedirectory.cnrm.cloud.google.com
2043 resources:
2044 - '*'
2045 verbs:
2046 - get
2047 - list
2048 - watch
2049- apiGroups:
2050 - servicenetworking.cnrm.cloud.google.com
2051 resources:
2052 - '*'
2053 verbs:
2054 - get
2055 - list
2056 - watch
2057- apiGroups:
2058 - serviceusage.cnrm.cloud.google.com
2059 resources:
2060 - '*'
2061 verbs:
2062 - get
2063 - list
2064 - watch
2065- apiGroups:
2066 - sourcerepo.cnrm.cloud.google.com
2067 resources:
2068 - '*'
2069 verbs:
2070 - get
2071 - list
2072 - watch
2073- apiGroups:
2074 - spanner.cnrm.cloud.google.com
2075 resources:
2076 - '*'
2077 verbs:
2078 - get
2079 - list
2080 - watch
2081- apiGroups:
2082 - sql.cnrm.cloud.google.com
2083 resources:
2084 - '*'
2085 verbs:
2086 - get
2087 - list
2088 - watch
2089- apiGroups:
2090 - storage.cnrm.cloud.google.com
2091 resources:
2092 - '*'
2093 verbs:
2094 - get
2095 - list
2096 - watch
2097- apiGroups:
2098 - storagetransfer.cnrm.cloud.google.com
2099 resources:
2100 - '*'
2101 verbs:
2102 - get
2103 - list
2104 - watch
2105- apiGroups:
2106 - tags.cnrm.cloud.google.com
2107 resources:
2108 - '*'
2109 verbs:
2110 - get
2111 - list
2112 - watch
2113- apiGroups:
2114 - tpu.cnrm.cloud.google.com
2115 resources:
2116 - '*'
2117 verbs:
2118 - get
2119 - list
2120 - watch
2121- apiGroups:
2122 - vertexai.cnrm.cloud.google.com
2123 resources:
2124 - '*'
2125 verbs:
2126 - get
2127 - list
2128 - watch
2129- apiGroups:
2130 - vpcaccess.cnrm.cloud.google.com
2131 resources:
2132 - '*'
2133 verbs:
2134 - get
2135 - list
2136 - watch
2137- apiGroups:
2138 - workflows.cnrm.cloud.google.com
2139 resources:
2140 - '*'
2141 verbs:
2142 - get
2143 - list
2144 - watch
2145- apiGroups:
2146 - workstations.cnrm.cloud.google.com
2147 resources:
2148 - '*'
2149 verbs:
2150 - get
2151 - list
2152 - watch
2153---
2154apiVersion: rbac.authorization.k8s.io/v1
2155kind: ClusterRole
2156metadata:
2157 annotations:
2158 cnrm.cloud.google.com/version: 1.106.0
2159 labels:
2160 cnrm.cloud.google.com/system: "true"
2161 name: cnrm-webhook-role
2162rules:
2163- apiGroups:
2164 - admissionregistration.k8s.io
2165 resources:
2166 - validatingwebhookconfigurations
2167 - mutatingwebhookconfigurations
2168 verbs:
2169 - get
2170 - list
2171 - watch
2172 - create
2173 - update
2174 - patch
2175 - delete
2176- apiGroups:
2177 - core.cnrm.cloud.google.com
2178 resources:
2179 - servicemappings
2180 verbs:
2181 - get
2182 - list
2183 - watch
2184 - create
2185 - update
2186 - patch
2187 - delete
2188- apiGroups:
2189 - ""
2190 resources:
2191 - services
2192 verbs:
2193 - get
2194 - list
2195 - watch
2196 - create
2197 - update
2198 - patch
2199 - delete
2200- apiGroups:
2201 - apiextensions.k8s.io
2202 resources:
2203 - customresourcedefinitions
2204 verbs:
2205 - get
2206 - list
2207 - watch
2208- apiGroups:
2209 - ""
2210 resources:
2211 - namespaces
2212 verbs:
2213 - get
2214 - list
2215 - watch
2216---
2217apiVersion: rbac.authorization.k8s.io/v1
2218kind: RoleBinding
2219metadata:
2220 annotations:
2221 cnrm.cloud.google.com/version: 1.106.0
2222 labels:
2223 cnrm.cloud.google.com/system: "true"
2224 name: cnrm-deletiondefender-role-binding
2225 namespace: cnrm-system
2226roleRef:
2227 apiGroup: rbac.authorization.k8s.io
2228 kind: Role
2229 name: cnrm-deletiondefender-cnrm-system-role
2230subjects:
2231- kind: ServiceAccount
2232 name: cnrm-deletiondefender
2233 namespace: cnrm-system
2234---
2235apiVersion: rbac.authorization.k8s.io/v1
2236kind: RoleBinding
2237metadata:
2238 annotations:
2239 cnrm.cloud.google.com/version: 1.106.0
2240 labels:
2241 cnrm.cloud.google.com/system: "true"
2242 name: cnrm-webhook-role-binding
2243 namespace: cnrm-system
2244roleRef:
2245 apiGroup: rbac.authorization.k8s.io
2246 kind: Role
2247 name: cnrm-webhook-cnrm-system-role
2248subjects:
2249- kind: ServiceAccount
2250 name: cnrm-webhook-manager
2251 namespace: cnrm-system
2252---
2253apiVersion: rbac.authorization.k8s.io/v1
2254kind: ClusterRoleBinding
2255metadata:
2256 annotations:
2257 cnrm.cloud.google.com/version: 1.106.0
2258 labels:
2259 cnrm.cloud.google.com/system: "true"
2260 name: cnrm-admin-binding
2261roleRef:
2262 apiGroup: rbac.authorization.k8s.io
2263 kind: ClusterRole
2264 name: cnrm-admin
2265subjects:
2266- kind: ServiceAccount
2267 name: cnrm-controller-manager
2268 namespace: cnrm-system
2269- kind: ServiceAccount
2270 name: cnrm-resource-stats-recorder
2271 namespace: cnrm-system
2272- kind: ServiceAccount
2273 name: cnrm-deletiondefender
2274 namespace: cnrm-system
2275---
2276apiVersion: rbac.authorization.k8s.io/v1
2277kind: ClusterRoleBinding
2278metadata:
2279 annotations:
2280 cnrm.cloud.google.com/version: 1.106.0
2281 labels:
2282 cnrm.cloud.google.com/system: "true"
2283 name: cnrm-deletiondefender-binding
2284roleRef:
2285 apiGroup: rbac.authorization.k8s.io
2286 kind: ClusterRole
2287 name: cnrm-deletiondefender-role
2288subjects:
2289- kind: ServiceAccount
2290 name: cnrm-deletiondefender
2291 namespace: cnrm-system
2292---
2293apiVersion: rbac.authorization.k8s.io/v1
2294kind: ClusterRoleBinding
2295metadata:
2296 annotations:
2297 cnrm.cloud.google.com/version: 1.106.0
2298 labels:
2299 cnrm.cloud.google.com/system: "true"
2300 name: cnrm-manager-binding
2301roleRef:
2302 apiGroup: rbac.authorization.k8s.io
2303 kind: ClusterRole
2304 name: cnrm-manager-cluster-role
2305subjects:
2306- kind: ServiceAccount
2307 name: cnrm-controller-manager
2308 namespace: cnrm-system
2309---
2310apiVersion: rbac.authorization.k8s.io/v1
2311kind: ClusterRoleBinding
2312metadata:
2313 annotations:
2314 cnrm.cloud.google.com/version: 1.106.0
2315 labels:
2316 cnrm.cloud.google.com/system: "true"
2317 name: cnrm-manager-watcher-binding
2318roleRef:
2319 apiGroup: rbac.authorization.k8s.io
2320 kind: ClusterRole
2321 name: cnrm-manager-ns-role
2322subjects:
2323- kind: ServiceAccount
2324 name: cnrm-controller-manager
2325 namespace: cnrm-system
2326---
2327apiVersion: rbac.authorization.k8s.io/v1
2328kind: ClusterRoleBinding
2329metadata:
2330 annotations:
2331 cnrm.cloud.google.com/version: 1.106.0
2332 labels:
2333 cnrm.cloud.google.com/system: "true"
2334 name: cnrm-recorder-binding
2335roleRef:
2336 apiGroup: rbac.authorization.k8s.io
2337 kind: ClusterRole
2338 name: cnrm-recorder-role
2339subjects:
2340- kind: ServiceAccount
2341 name: cnrm-resource-stats-recorder
2342 namespace: cnrm-system
2343---
2344apiVersion: rbac.authorization.k8s.io/v1
2345kind: ClusterRoleBinding
2346metadata:
2347 annotations:
2348 cnrm.cloud.google.com/version: 1.106.0
2349 labels:
2350 cnrm.cloud.google.com/system: "true"
2351 name: cnrm-webhook-binding
2352roleRef:
2353 apiGroup: rbac.authorization.k8s.io
2354 kind: ClusterRole
2355 name: cnrm-webhook-role
2356subjects:
2357- kind: ServiceAccount
2358 name: cnrm-webhook-manager
2359 namespace: cnrm-system
2360---
2361apiVersion: v1
2362kind: Service
2363metadata:
2364 annotations:
2365 cnrm.cloud.google.com/version: 1.106.0
2366 labels:
2367 cnrm.cloud.google.com/system: "true"
2368 name: cnrm-deletiondefender
2369 namespace: cnrm-system
2370spec:
2371 ports:
2372 - name: deletiondefender
2373 port: 443
2374 selector:
2375 cnrm.cloud.google.com/component: cnrm-deletiondefender
2376 cnrm.cloud.google.com/system: "true"
2377---
2378apiVersion: v1
2379kind: Service
2380metadata:
2381 annotations:
2382 cnrm.cloud.google.com/version: 1.106.0
2383 prometheus.io/port: "8888"
2384 prometheus.io/scrape: "true"
2385 labels:
2386 cnrm.cloud.google.com/monitored: "true"
2387 cnrm.cloud.google.com/system: "true"
2388 name: cnrm-manager
2389 namespace: cnrm-system
2390spec:
2391 ports:
2392 - name: controller-manager
2393 port: 443
2394 - name: metrics
2395 port: 8888
2396 selector:
2397 cnrm.cloud.google.com/component: cnrm-controller-manager
2398 cnrm.cloud.google.com/system: "true"
2399---
2400apiVersion: v1
2401kind: Service
2402metadata:
2403 annotations:
2404 cnrm.cloud.google.com/version: 1.106.0
2405 prometheus.io/port: "48797"
2406 prometheus.io/scrape: "true"
2407 labels:
2408 cnrm.cloud.google.com/monitored: "true"
2409 cnrm.cloud.google.com/system: "true"
2410 name: cnrm-resource-stats-recorder-service
2411 namespace: cnrm-system
2412spec:
2413 ports:
2414 - name: metrics
2415 port: 8888
2416 targetPort: 48797
2417 selector:
2418 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2419 cnrm.cloud.google.com/system: "true"
2420---
2421apiVersion: apps/v1
2422kind: Deployment
2423metadata:
2424 annotations:
2425 cnrm.cloud.google.com/version: 1.106.0
2426 labels:
2427 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2428 cnrm.cloud.google.com/system: "true"
2429 name: cnrm-resource-stats-recorder
2430 namespace: cnrm-system
2431spec:
2432 replicas: 1
2433 revisionHistoryLimit: 1
2434 selector:
2435 matchLabels:
2436 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2437 cnrm.cloud.google.com/system: "true"
2438 strategy:
2439 type: Recreate
2440 template:
2441 metadata:
2442 annotations:
2443 cnrm.cloud.google.com/version: 1.106.0
2444 labels:
2445 cnrm.cloud.google.com/component: cnrm-resource-stats-recorder
2446 cnrm.cloud.google.com/system: "true"
2447 spec:
2448 containers:
2449 - args:
2450 - --prometheus-scrape-endpoint=:48797
2451 - --metric-interval=60
2452 command:
2453 - /configconnector/recorder
2454 env:
2455 - name: CONFIG_CONNECTOR_VERSION
2456 value: 1.106.0
2457 image: gcr.io/cnrm-eap/recorder:2b4f8d7
2458 imagePullPolicy: Always
2459 name: recorder
2460 ports:
2461 - containerPort: 48797
2462 hostPort: 48797
2463 protocol: TCP
2464 - containerPort: 23232
2465 readinessProbe:
2466 httpGet:
2467 path: /ready
2468 port: 23232
2469 initialDelaySeconds: 7
2470 periodSeconds: 3
2471 resources:
2472 limits:
2473 memory: 64Mi
2474 requests:
2475 cpu: 20m
2476 memory: 64Mi
2477 securityContext:
2478 allowPrivilegeEscalation: false
2479 privileged: false
2480 runAsNonRoot: true
2481 runAsUser: 1000
2482 enableServiceLinks: false
2483 hostNetwork: true
2484 serviceAccountName: cnrm-resource-stats-recorder
2485 terminationGracePeriodSeconds: 10
2486---
2487apiVersion: apps/v1
2488kind: Deployment
2489metadata:
2490 annotations:
2491 cnrm.cloud.google.com/version: 1.106.0
2492 labels:
2493 cnrm.cloud.google.com/component: cnrm-webhook-manager
2494 cnrm.cloud.google.com/system: "true"
2495 name: cnrm-webhook-manager
2496 namespace: cnrm-system
2497spec:
2498 revisionHistoryLimit: 1
2499 selector:
2500 matchLabels:
2501 cnrm.cloud.google.com/component: cnrm-webhook-manager
2502 cnrm.cloud.google.com/system: "true"
2503 template:
2504 metadata:
2505 annotations:
2506 cnrm.cloud.google.com/version: 1.106.0
2507 labels:
2508 cnrm.cloud.google.com/component: cnrm-webhook-manager
2509 cnrm.cloud.google.com/system: "true"
2510 spec:
2511 containers:
2512 - command:
2513 - /configconnector/webhook
2514 env:
2515 - name: NAMESPACE
2516 valueFrom:
2517 fieldRef:
2518 fieldPath: metadata.namespace
2519 image: gcr.io/cnrm-eap/webhook:2b4f8d7
2520 imagePullPolicy: Always
2521 name: webhook
2522 ports:
2523 - containerPort: 23232
2524 readinessProbe:
2525 httpGet:
2526 path: /ready
2527 port: 23232
2528 initialDelaySeconds: 7
2529 periodSeconds: 3
2530 resources:
2531 limits:
2532 memory: 128Mi
2533 requests:
2534 cpu: 250m
2535 memory: 128Mi
2536 securityContext:
2537 allowPrivilegeEscalation: false
2538 privileged: false
2539 runAsNonRoot: true
2540 runAsUser: 1000
2541 enableServiceLinks: false
2542 serviceAccountName: cnrm-webhook-manager
2543 terminationGracePeriodSeconds: 10
2544---
2545apiVersion: apps/v1
2546kind: StatefulSet
2547metadata:
2548 annotations:
2549 cnrm.cloud.google.com/version: 1.106.0
2550 labels:
2551 cnrm.cloud.google.com/component: cnrm-controller-manager
2552 cnrm.cloud.google.com/system: "true"
2553 name: cnrm-controller-manager
2554 namespace: cnrm-system
2555spec:
2556 selector:
2557 matchLabels:
2558 cnrm.cloud.google.com/component: cnrm-controller-manager
2559 cnrm.cloud.google.com/system: "true"
2560 serviceName: cnrm-manager
2561 template:
2562 metadata:
2563 annotations:
2564 cnrm.cloud.google.com/version: 1.106.0
2565 labels:
2566 cnrm.cloud.google.com/component: cnrm-controller-manager
2567 cnrm.cloud.google.com/system: "true"
2568 spec:
2569 containers:
2570 - args:
2571 - --prometheus-scrape-endpoint=:8888
2572 command:
2573 - /configconnector/manager
2574 env:
2575 - name: GOOGLE_APPLICATION_CREDENTIALS
2576 value: /var/secrets/google/key.json
2577 image: gcr.io/cnrm-eap/controller:2b4f8d7
2578 imagePullPolicy: Always
2579 name: manager
2580 ports:
2581 - containerPort: 23232
2582 readinessProbe:
2583 httpGet:
2584 path: /ready
2585 port: 23232
2586 initialDelaySeconds: 7
2587 periodSeconds: 3
2588 resources:
2589 limits:
2590 memory: 512Mi
2591 requests:
2592 cpu: 100m
2593 memory: 512Mi
2594 securityContext:
2595 allowPrivilegeEscalation: false
2596 privileged: false
2597 runAsNonRoot: true
2598 runAsUser: 1000
2599 volumeMounts:
2600 - mountPath: /var/secrets/google
2601 name: gcp-service-account
2602 enableServiceLinks: false
2603 serviceAccountName: cnrm-controller-manager
2604 terminationGracePeriodSeconds: 10
2605 volumes:
2606 - name: gcp-service-account
2607 secret:
2608 secretName: gcp-key
2609---
2610apiVersion: apps/v1
2611kind: StatefulSet
2612metadata:
2613 annotations:
2614 cnrm.cloud.google.com/version: 1.106.0
2615 labels:
2616 cnrm.cloud.google.com/component: cnrm-deletiondefender
2617 cnrm.cloud.google.com/system: "true"
2618 name: cnrm-deletiondefender
2619 namespace: cnrm-system
2620spec:
2621 selector:
2622 matchLabels:
2623 cnrm.cloud.google.com/component: cnrm-deletiondefender
2624 cnrm.cloud.google.com/system: "true"
2625 serviceName: cnrm-deletiondefender
2626 template:
2627 metadata:
2628 annotations:
2629 cnrm.cloud.google.com/version: 1.106.0
2630 labels:
2631 cnrm.cloud.google.com/component: cnrm-deletiondefender
2632 cnrm.cloud.google.com/system: "true"
2633 spec:
2634 containers:
2635 - command:
2636 - /configconnector/deletiondefender
2637 image: gcr.io/cnrm-eap/deletiondefender:2b4f8d7
2638 imagePullPolicy: Always
2639 name: deletiondefender
2640 ports:
2641 - containerPort: 23232
2642 readinessProbe:
2643 httpGet:
2644 path: /ready
2645 port: 23232
2646 initialDelaySeconds: 7
2647 periodSeconds: 3
2648 resources:
2649 limits:
2650 memory: 1Gi
2651 requests:
2652 cpu: 250m
2653 memory: 1Gi
2654 securityContext:
2655 allowPrivilegeEscalation: false
2656 privileged: false
2657 runAsNonRoot: true
2658 runAsUser: 1000
2659 enableServiceLinks: false
2660 serviceAccountName: cnrm-deletiondefender
2661 terminationGracePeriodSeconds: 10
2662---
2663apiVersion: autoscaling/v1
2664kind: HorizontalPodAutoscaler
2665metadata:
2666 annotations:
2667 autoscaling.alpha.kubernetes.io/metrics: '[{"type":"Resource","resource":{"name":"memory","targetAverageUtilization":70}}]'
2668 cnrm.cloud.google.com/version: 1.106.0
2669 labels:
2670 cnrm.cloud.google.com/system: "true"
2671 name: cnrm-webhook
2672 namespace: cnrm-system
2673spec:
2674 maxReplicas: 20
2675 minReplicas: 2
2676 scaleTargetRef:
2677 apiVersion: apps/v1
2678 kind: Deployment
2679 name: cnrm-webhook-manager
2680 targetCPUUtilizationPercentage: 90
View as plain text