...

Text file src/github.com/linkerd/linkerd2/charts/linkerd-control-plane/templates/proxy-injector-rbac.yaml

Documentation: github.com/linkerd/linkerd2/charts/linkerd-control-plane/templates 

     1---
     2###
     3### Proxy Injector RBAC
     4###
     5kind: ClusterRole
     6apiVersion: rbac.authorization.k8s.io/v1
     7metadata:
     8  name: linkerd-{{.Release.Namespace}}-proxy-injector
     9  labels:
    10    linkerd.io/control-plane-component: proxy-injector
    11    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    12    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    13rules:
    14- apiGroups: [""]
    15  resources: ["events"]
    16  verbs: ["create", "patch"]
    17- apiGroups: [""]
    18  resources: ["namespaces", "replicationcontrollers"]
    19  verbs: ["list", "get", "watch"]
    20- apiGroups: [""]
    21  resources: ["pods"]
    22  verbs: ["list", "watch"]
    23- apiGroups: ["extensions", "apps"]
    24  resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
    25  verbs: ["list", "get", "watch"]
    26- apiGroups: ["extensions", "batch"]
    27  resources: ["cronjobs", "jobs"]
    28  verbs: ["list", "get", "watch"]
    29---
    30kind: ClusterRoleBinding
    31apiVersion: rbac.authorization.k8s.io/v1
    32metadata:
    33  name: linkerd-{{.Release.Namespace}}-proxy-injector
    34  labels:
    35    linkerd.io/control-plane-component: proxy-injector
    36    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    37    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    38subjects:
    39- kind: ServiceAccount
    40  name: linkerd-proxy-injector
    41  namespace: {{.Release.Namespace}}
    42  apiGroup: ""
    43roleRef:
    44  kind: ClusterRole
    45  name: linkerd-{{.Release.Namespace}}-proxy-injector
    46  apiGroup: rbac.authorization.k8s.io
    47---
    48kind: ServiceAccount
    49apiVersion: v1
    50metadata:
    51  name: linkerd-proxy-injector
    52  namespace: {{ .Release.Namespace }}
    53  labels:
    54    linkerd.io/control-plane-component: proxy-injector
    55    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    56    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    57{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }}
    58---
    59{{- $host := printf "linkerd-proxy-injector.%s.svc" .Release.Namespace }}
    60{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }}
    61{{- if (not .Values.proxyInjector.externalSecret) }}
    62kind: Secret
    63apiVersion: v1
    64metadata:
    65  name: linkerd-proxy-injector-k8s-tls
    66  namespace: {{ .Release.Namespace }}
    67  labels:
    68    linkerd.io/control-plane-component: proxy-injector
    69    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    70    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    71  annotations:
    72    {{ include "partials.annotations.created-by" . }}
    73type: kubernetes.io/tls
    74data:
    75  tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }}
    76  tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }}
    77---
    78{{- end }}
    79{{- include "linkerd.webhook.validation" .Values.proxyInjector }}
    80apiVersion: admissionregistration.k8s.io/v1
    81kind: MutatingWebhookConfiguration
    82metadata:
    83  name: linkerd-proxy-injector-webhook-config
    84  {{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }}
    85  annotations:
    86  {{- if .Values.proxyInjector.injectCaFrom }}
    87    cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }}
    88  {{- end }}
    89  {{- if .Values.proxyInjector.injectCaFromSecret }}
    90    cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }}
    91  {{- end }}
    92  {{- end }}
    93  labels:
    94    linkerd.io/control-plane-component: proxy-injector
    95    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    96    {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }}
    97webhooks:
    98- name: linkerd-proxy-injector.linkerd.io
    99  namespaceSelector:
   100    {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }}
   101  objectSelector:
   102    {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }}
   103  clientConfig:
   104    service:
   105      name: linkerd-proxy-injector
   106      namespace: {{ .Release.Namespace }}
   107      path: "/"
   108    {{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }}
   109    caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }}
   110    {{- end }}
   111  failurePolicy: {{.Values.webhookFailurePolicy}}
   112  admissionReviewVersions: ["v1", "v1beta1"]
   113  rules:
   114  - operations: [ "CREATE" ]
   115    apiGroups: [""]
   116    apiVersions: ["v1"]
   117    resources: ["pods", "services"]
   118    scope: "Namespaced"
   119  sideEffects: None
   120  timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }}

View as plain text