...

Text file src/k8s.io/kubernetes/cluster/addons/calico-policy-controller/calico-clusterrole.yaml

Documentation: k8s.io/kubernetes/cluster/addons/calico-policy-controller

     1kind: ClusterRole
     2apiVersion: rbac.authorization.k8s.io/v1
     3metadata:
     4  name: calico
     5  namespace: kube-system
     6  labels:
     7    addonmanager.kubernetes.io/mode: Reconcile
     8rules:
     9  # The CNI plugin needs to get pods, nodes, and namespaces.
    10  - apiGroups: [""]
    11    resources:
    12      - pods
    13      - nodes
    14      - namespaces
    15    verbs:
    16      - get
    17  # calico/node checks configmaps for cluster CIDR.
    18  - apiGroups: [""]
    19    resources:
    20      - configmaps
    21    verbs:
    22      - get
    23  - apiGroups: [""]
    24    resources:
    25      - endpoints
    26      - services
    27    verbs:
    28      # Used to discover service IPs for advertisement.
    29      - watch
    30      - list
    31      # Used to discover Typhas.
    32      - get
    33  - apiGroups: [""]
    34    resources:
    35      - nodes/status
    36    verbs:
    37      # Needed for clearing NodeNetworkUnavailable flag.
    38      - patch
    39      # Calico stores some configuration information in node annotations.
    40      - update
    41  # Watch for changes to Kubernetes NetworkPolicies.
    42  - apiGroups: ["networking.k8s.io"]
    43    resources:
    44      - networkpolicies
    45    verbs:
    46      - watch
    47      - list
    48  # Used by Calico for policy information.
    49  - apiGroups: [""]
    50    resources:
    51      - pods
    52      - namespaces
    53      - serviceaccounts
    54    verbs:
    55      - list
    56      - watch
    57  # The CNI plugin patches pods/status.
    58  - apiGroups: [""]
    59    resources:
    60      - pods/status
    61    verbs:
    62      - patch
    63  # Calico monitors various CRDs for config.
    64  # Note: Though we are not using ipam from calico, calico node still needs those permissions
    65  #       to boot.
    66  - apiGroups: ["crd.projectcalico.org"]
    67    resources:
    68      - globalfelixconfigs
    69      - felixconfigurations
    70      - bgppeers
    71      - globalbgpconfigs
    72      - bgpconfigurations
    73      - ippools
    74      - ipamblocks
    75      - globalnetworkpolicies
    76      - globalnetworksets
    77      - networkpolicies
    78      - networksets
    79      - clusterinformations
    80      - hostendpoints
    81    verbs:
    82      - get
    83      - list
    84      - watch
    85  # Calico must create and update some CRDs on startup.
    86  - apiGroups: ["crd.projectcalico.org"]
    87    resources:
    88      - ippools
    89      - felixconfigurations
    90      - clusterinformations
    91    verbs:
    92      - create
    93      - update
    94  # Calico stores some configuration information on the node.
    95  - apiGroups: [""]
    96    resources:
    97      - nodes
    98    verbs:
    99      - get
   100      - list
   101      - watch
   102  # These permissions are only required for upgrade from v2.6, and can
   103  # be removed after upgrade or on fresh installations.
   104  - apiGroups: ["crd.projectcalico.org"]
   105    resources:
   106      - bgpconfigurations
   107      - bgppeers
   108    verbs:
   109      - create
   110      - update
   111  # These permissions are required for Calico CNI to perform IPAM allocations.
   112  - apiGroups: ["crd.projectcalico.org"]
   113    resources:
   114      - blockaffinities
   115      - ipamblocks
   116      - ipamhandles
   117    verbs:
   118      - get
   119      - list
   120      - create
   121      - update
   122      - delete
   123  - apiGroups: ["crd.projectcalico.org"]
   124    resources:
   125      - ipamconfigs
   126    verbs:
   127      - get
   128  # Block affinities must also be watchable by confd for route aggregation.
   129  - apiGroups: ["crd.projectcalico.org"]
   130    resources:
   131      - blockaffinities
   132    verbs:
   133      - watch
   134  # The Calico IPAM migration needs to get daemonsets. These permissions can be
   135  # removed if not upgrading from an installation using host-local IPAM.
   136  - apiGroups: ["apps"]
   137    resources:
   138      - daemonsets
   139    verbs:
   140      - get

View as plain text