1kind: ClusterRole
2apiVersion: rbac.authorization.k8s.io/v1
3metadata:
4 name: calico
5 namespace: kube-system
6 labels:
7 addonmanager.kubernetes.io/mode: Reconcile
8rules:
9 # The CNI plugin needs to get pods, nodes, and namespaces.
10 - apiGroups: [""]
11 resources:
12 - pods
13 - nodes
14 - namespaces
15 verbs:
16 - get
17 # calico/node checks configmaps for cluster CIDR.
18 - apiGroups: [""]
19 resources:
20 - configmaps
21 verbs:
22 - get
23 - apiGroups: [""]
24 resources:
25 - endpoints
26 - services
27 verbs:
28 # Used to discover service IPs for advertisement.
29 - watch
30 - list
31 # Used to discover Typhas.
32 - get
33 - apiGroups: [""]
34 resources:
35 - nodes/status
36 verbs:
37 # Needed for clearing NodeNetworkUnavailable flag.
38 - patch
39 # Calico stores some configuration information in node annotations.
40 - update
41 # Watch for changes to Kubernetes NetworkPolicies.
42 - apiGroups: ["networking.k8s.io"]
43 resources:
44 - networkpolicies
45 verbs:
46 - watch
47 - list
48 # Used by Calico for policy information.
49 - apiGroups: [""]
50 resources:
51 - pods
52 - namespaces
53 - serviceaccounts
54 verbs:
55 - list
56 - watch
57 # The CNI plugin patches pods/status.
58 - apiGroups: [""]
59 resources:
60 - pods/status
61 verbs:
62 - patch
63 # Calico monitors various CRDs for config.
64 # Note: Though we are not using ipam from calico, calico node still needs those permissions
65 # to boot.
66 - apiGroups: ["crd.projectcalico.org"]
67 resources:
68 - globalfelixconfigs
69 - felixconfigurations
70 - bgppeers
71 - globalbgpconfigs
72 - bgpconfigurations
73 - ippools
74 - ipamblocks
75 - globalnetworkpolicies
76 - globalnetworksets
77 - networkpolicies
78 - networksets
79 - clusterinformations
80 - hostendpoints
81 verbs:
82 - get
83 - list
84 - watch
85 # Calico must create and update some CRDs on startup.
86 - apiGroups: ["crd.projectcalico.org"]
87 resources:
88 - ippools
89 - felixconfigurations
90 - clusterinformations
91 verbs:
92 - create
93 - update
94 # Calico stores some configuration information on the node.
95 - apiGroups: [""]
96 resources:
97 - nodes
98 verbs:
99 - get
100 - list
101 - watch
102 # These permissions are only required for upgrade from v2.6, and can
103 # be removed after upgrade or on fresh installations.
104 - apiGroups: ["crd.projectcalico.org"]
105 resources:
106 - bgpconfigurations
107 - bgppeers
108 verbs:
109 - create
110 - update
111 # These permissions are required for Calico CNI to perform IPAM allocations.
112 - apiGroups: ["crd.projectcalico.org"]
113 resources:
114 - blockaffinities
115 - ipamblocks
116 - ipamhandles
117 verbs:
118 - get
119 - list
120 - create
121 - update
122 - delete
123 - apiGroups: ["crd.projectcalico.org"]
124 resources:
125 - ipamconfigs
126 verbs:
127 - get
128 # Block affinities must also be watchable by confd for route aggregation.
129 - apiGroups: ["crd.projectcalico.org"]
130 resources:
131 - blockaffinities
132 verbs:
133 - watch
134 # The Calico IPAM migration needs to get daemonsets. These permissions can be
135 # removed if not upgrading from an installation using host-local IPAM.
136 - apiGroups: ["apps"]
137 resources:
138 - daemonsets
139 verbs:
140 - get
View as plain text