# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: v1 kind: Namespace metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-system --- apiVersion: v1 kind: ServiceAccount metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-deletiondefender namespace: cnrm-system --- apiVersion: v1 kind: ServiceAccount metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-resource-stats-recorder namespace: cnrm-system --- apiVersion: v1 kind: ServiceAccount metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-unmanaged-detector namespace: cnrm-system --- apiVersion: v1 kind: ServiceAccount metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-webhook-manager namespace: cnrm-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-deletiondefender-cnrm-system-role namespace: cnrm-system rules: - apiGroups: - "" resources: - secrets verbs: - get - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-webhook-cnrm-system-role namespace: cnrm-system rules: - apiGroups: - "" resources: - secrets verbs: - get - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 creationTimestamp: null labels: cnrm.cloud.google.com/system: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: cnrm-admin rules: - apiGroups: - accesscontextmanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - alloydb.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apigateway.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apigee.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - appengine.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - artifactregistry.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - beyondcorp.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - bigquery.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - bigqueryanalyticshub.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - bigqueryconnection.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - bigquerydatapolicy.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - bigquerydatatransfer.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - bigqueryreservation.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - bigtable.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - billingbudgets.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - binaryauthorization.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - certificatemanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudasset.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudbuild.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudfunctions.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudfunctions2.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudidentity.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudids.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudiot.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudscheduler.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - cloudtasks.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - compute.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - configcontroller.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - container.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - containeranalysis.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - datacatalog.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - dataflow.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - dataform.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - datafusion.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - dataproc.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - datastore.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - datastream.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - deploymentmanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - dialogflow.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - dialogflowcx.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - dlp.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - dns.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - documentai.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - essentialcontacts.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - eventarc.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - filestore.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - firebase.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - firebasedatabase.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - firebasehosting.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - firebasestorage.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - firestore.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - gkebackup.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - gkehub.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - healthcare.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - iam.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - iap.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - identityplatform.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - kms.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - logging.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - memcache.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - mlengine.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - monitoring.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - networkconnectivity.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - networkmanagement.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - networksecurity.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - networkservices.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - notebooks.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - orgpolicy.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - osconfig.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - oslogin.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - privateca.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - pubsub.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - pubsublite.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - recaptchaenterprise.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - redis.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - resourcemanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - run.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - secretmanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - securitycenter.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - servicedirectory.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - servicenetworking.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - serviceusage.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - sourcerepo.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - spanner.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - sql.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - storage.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - storagetransfer.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - tags.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - tpu.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - vertexai.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - vpcaccess.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - workflows.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete - apiGroups: - workstations.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-deletiondefender-role rules: - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - services verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-manager-cluster-role rules: - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - list - watch - create - update - patch - delete - apiGroups: - core.cnrm.cloud.google.com resources: - servicemappings verbs: - get - list - watch - apiGroups: - core.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-manager-ns-role rules: - apiGroups: - "" resources: - events - configmaps - secrets - services verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-recorder-role rules: - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - create - update - patch - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-unmanaged-detector-cluster-role rules: - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - apps resources: - statefulsets verbs: - list - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 creationTimestamp: null labels: cnrm.cloud.google.com/system: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: cnrm-viewer rules: - apiGroups: - accesscontextmanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - alloydb.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - apigateway.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - apigee.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - appengine.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - artifactregistry.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - beyondcorp.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - bigquery.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - bigqueryanalyticshub.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - bigqueryconnection.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - bigquerydatapolicy.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - bigquerydatatransfer.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - bigqueryreservation.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - bigtable.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - billingbudgets.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - binaryauthorization.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - certificatemanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudasset.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudbuild.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudfunctions.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudfunctions2.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudidentity.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudids.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudiot.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudscheduler.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - cloudtasks.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - compute.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - configcontroller.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - container.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - containeranalysis.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - datacatalog.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - dataflow.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - dataform.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - datafusion.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - dataproc.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - datastore.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - datastream.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - deploymentmanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - dialogflow.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - dialogflowcx.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - dlp.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - dns.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - documentai.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - essentialcontacts.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - eventarc.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - filestore.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - firebase.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - firebasedatabase.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - firebasehosting.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - firebasestorage.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - firestore.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - gkebackup.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - gkehub.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - healthcare.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - iam.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - iap.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - identityplatform.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - kms.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - logging.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - memcache.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - mlengine.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - monitoring.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - networkconnectivity.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - networkmanagement.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - networksecurity.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - networkservices.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - notebooks.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - orgpolicy.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - osconfig.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - oslogin.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - privateca.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - pubsub.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - pubsublite.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - recaptchaenterprise.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - redis.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - resourcemanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - run.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - secretmanager.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - securitycenter.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - servicedirectory.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - servicenetworking.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - serviceusage.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - sourcerepo.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - spanner.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - sql.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - storage.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - storagetransfer.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - tags.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - tpu.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - vertexai.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - vpcaccess.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - workflows.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch - apiGroups: - workstations.cnrm.cloud.google.com resources: - '*' verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-webhook-role rules: - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations verbs: - get - list - watch - create - update - patch - delete - apiGroups: - core.cnrm.cloud.google.com resources: - servicemappings verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - services verbs: - get - list - watch - create - update - patch - delete - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-deletiondefender-role-binding namespace: cnrm-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cnrm-deletiondefender-cnrm-system-role subjects: - kind: ServiceAccount name: cnrm-deletiondefender namespace: cnrm-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-webhook-role-binding namespace: cnrm-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: cnrm-webhook-cnrm-system-role subjects: - kind: ServiceAccount name: cnrm-webhook-manager namespace: cnrm-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-admin-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cnrm-admin subjects: - kind: ServiceAccount name: cnrm-unmanaged-detector namespace: cnrm-system - kind: ServiceAccount name: cnrm-resource-stats-recorder namespace: cnrm-system - kind: ServiceAccount name: cnrm-deletiondefender namespace: cnrm-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-deletiondefender-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cnrm-deletiondefender-role subjects: - kind: ServiceAccount name: cnrm-deletiondefender namespace: cnrm-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-recorder-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cnrm-recorder-role subjects: - kind: ServiceAccount name: cnrm-resource-stats-recorder namespace: cnrm-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-unmanaged-detector-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cnrm-unmanaged-detector-cluster-role subjects: - kind: ServiceAccount name: cnrm-unmanaged-detector namespace: cnrm-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-webhook-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cnrm-webhook-role subjects: - kind: ServiceAccount name: cnrm-webhook-manager namespace: cnrm-system --- apiVersion: v1 kind: Service metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-deletiondefender namespace: cnrm-system spec: ports: - name: deletiondefender port: 443 selector: cnrm.cloud.google.com/component: cnrm-deletiondefender cnrm.cloud.google.com/system: "true" --- apiVersion: v1 kind: Service metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 prometheus.io/port: "48797" prometheus.io/scrape: "true" labels: cnrm.cloud.google.com/monitored: "true" cnrm.cloud.google.com/system: "true" name: cnrm-resource-stats-recorder-service namespace: cnrm-system spec: ports: - name: metrics port: 8888 targetPort: 48797 selector: cnrm.cloud.google.com/component: cnrm-resource-stats-recorder cnrm.cloud.google.com/system: "true" --- apiVersion: apps/v1 kind: Deployment metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-resource-stats-recorder cnrm.cloud.google.com/system: "true" name: cnrm-resource-stats-recorder namespace: cnrm-system spec: replicas: 1 revisionHistoryLimit: 1 selector: matchLabels: cnrm.cloud.google.com/component: cnrm-resource-stats-recorder cnrm.cloud.google.com/system: "true" strategy: type: Recreate template: metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-resource-stats-recorder cnrm.cloud.google.com/system: "true" spec: containers: - args: - --prometheus-scrape-endpoint=:48797 - --metric-interval=60 command: - /configconnector/recorder env: - name: CONFIG_CONNECTOR_VERSION value: 1.106.0 image: gcr.io/cnrm-eap/recorder:2b4f8d7 imagePullPolicy: Always name: recorder ports: - containerPort: 48797 hostPort: 48797 protocol: TCP - containerPort: 23232 readinessProbe: httpGet: path: /ready port: 23232 initialDelaySeconds: 7 periodSeconds: 3 resources: limits: memory: 64Mi requests: cpu: 20m memory: 64Mi securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true runAsUser: 1000 enableServiceLinks: false hostNetwork: true serviceAccountName: cnrm-resource-stats-recorder terminationGracePeriodSeconds: 10 --- apiVersion: apps/v1 kind: Deployment metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-webhook-manager cnrm.cloud.google.com/system: "true" name: cnrm-webhook-manager namespace: cnrm-system spec: revisionHistoryLimit: 1 selector: matchLabels: cnrm.cloud.google.com/component: cnrm-webhook-manager cnrm.cloud.google.com/system: "true" template: metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-webhook-manager cnrm.cloud.google.com/system: "true" spec: containers: - command: - /configconnector/webhook env: - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace image: gcr.io/cnrm-eap/webhook:2b4f8d7 imagePullPolicy: Always name: webhook ports: - containerPort: 23232 readinessProbe: httpGet: path: /ready port: 23232 initialDelaySeconds: 7 periodSeconds: 3 resources: limits: memory: 128Mi requests: cpu: 250m memory: 128Mi securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true runAsUser: 1000 enableServiceLinks: false serviceAccountName: cnrm-webhook-manager terminationGracePeriodSeconds: 10 --- apiVersion: apps/v1 kind: StatefulSet metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-deletiondefender cnrm.cloud.google.com/system: "true" name: cnrm-deletiondefender namespace: cnrm-system spec: selector: matchLabels: cnrm.cloud.google.com/component: cnrm-deletiondefender cnrm.cloud.google.com/system: "true" serviceName: cnrm-deletiondefender template: metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-deletiondefender cnrm.cloud.google.com/system: "true" spec: containers: - command: - /configconnector/deletiondefender image: gcr.io/cnrm-eap/deletiondefender:2b4f8d7 imagePullPolicy: Always name: deletiondefender ports: - containerPort: 23232 readinessProbe: httpGet: path: /ready port: 23232 initialDelaySeconds: 7 periodSeconds: 3 resources: limits: memory: 1Gi requests: cpu: 250m memory: 1Gi securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true runAsUser: 1000 enableServiceLinks: false serviceAccountName: cnrm-deletiondefender terminationGracePeriodSeconds: 10 --- apiVersion: apps/v1 kind: StatefulSet metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-unmanaged-detector cnrm.cloud.google.com/system: "true" name: cnrm-unmanaged-detector namespace: cnrm-system spec: selector: matchLabels: cnrm.cloud.google.com/component: cnrm-unmanaged-detector cnrm.cloud.google.com/system: "true" serviceName: unmanaged-detector template: metadata: annotations: cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/component: cnrm-unmanaged-detector cnrm.cloud.google.com/system: "true" spec: containers: - command: - /configconnector/unmanageddetector image: gcr.io/cnrm-eap/unmanageddetector:2b4f8d7 imagePullPolicy: Always name: unmanageddetector ports: - containerPort: 23232 readinessProbe: httpGet: path: /ready port: 23232 initialDelaySeconds: 7 periodSeconds: 3 resources: limits: memory: 1Gi requests: cpu: 250m memory: 512Mi securityContext: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true runAsUser: 1000 enableServiceLinks: false serviceAccountName: cnrm-unmanaged-detector terminationGracePeriodSeconds: 10 --- apiVersion: autoscaling/v1 kind: HorizontalPodAutoscaler metadata: annotations: autoscaling.alpha.kubernetes.io/metrics: '[{"type":"Resource","resource":{"name":"memory","targetAverageUtilization":70}}]' cnrm.cloud.google.com/version: 1.106.0 labels: cnrm.cloud.google.com/system: "true" name: cnrm-webhook namespace: cnrm-system spec: maxReplicas: 20 minReplicas: 2 scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: cnrm-webhook-manager targetCPUUtilizationPercentage: 90