1apiVersion: rbac.authorization.k8s.io/v1
2kind: Role
3metadata:
4 name: system:controller:glbc
5 namespace: kube-system
6 labels:
7 addonmanager.kubernetes.io/mode: Reconcile
8rules:
9- apiGroups: [""]
10 resources: ["configmaps"]
11 verbs: ["get", "list", "watch", "update", "create", "patch"]
12---
13apiVersion: rbac.authorization.k8s.io/v1
14kind: ClusterRole
15metadata:
16 name: system:controller:glbc
17 labels:
18 addonmanager.kubernetes.io/mode: Reconcile
19rules:
20- apiGroups: [""]
21 resources: ["secrets"]
22 verbs: ["get"]
23- apiGroups: [""]
24 resources: ["events"]
25 verbs: ["get", "list", "watch", "update", "create", "patch"]
26- apiGroups: [""]
27 resources: ["endpoints", "services", "pods", "nodes", "namespaces"]
28 verbs: ["get", "list", "watch"]
29# TODO: switch to patch services/status
30# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L339-L342
31# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L359-L361
32- apiGroups: [""]
33 resources: ["services", "services/status"]
34 verbs: ["update", "patch"]
35- apiGroups: ["extensions", "networking.k8s.io"]
36 resources: ["ingresses"]
37 verbs: ["get", "list", "watch"]
38# For now, GLBC annotates ingress resources with various state and statuses:
39# https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579
40# TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status`
41- apiGroups: ["extensions", "networking.k8s.io"]
42 resources: ["ingresses"]
43 verbs: ["update"]
44- apiGroups: ["extensions", "networking.k8s.io"]
45 resources: ["ingresses/status"]
46 verbs: ["update", "patch"]
47# GLBC ensures that the `cloud.google.com/backendconfigs` and `networking.gke.io/servicenetworkendpointgroups` CRD exists in a desired state:
48# https://github.com/kubernetes/ingress-gce/blob/5c3fcb5845e74b92ea8bd52929b15fc5c9fa7970/cmd/glbc/main.go#L108
49# https://github.com/kubernetes/ingress-gce/blob/5c3fcb5845e74b92ea8bd52929b15fc5c9fa7970/cmd/glbc/main.go#L133
50# GLBC creates and updates `networking.gke.io/GCPIngressParams`
51# https://github.com/kubernetes/ingress-gce/blob/7f0928629c85e7a54c6af9e6e490ac89d057461a/cmd/glbc/main.go#L151-L162
52# TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744
53- apiGroups: ["apiextensions.k8s.io"]
54 resources: ["customresourcedefinitions"]
55 verbs: ["get", "list", "watch", "update", "create", "patch"]
56- apiGroups: ["cloud.google.com"]
57 resources: ["backendconfigs"]
58 verbs: ["get", "list", "watch", "update", "create", "patch"]
59- apiGroups: ["networking.gke.io"]
60 resources: ["servicenetworkendpointgroups","gcpingressparams"]
61 verbs: ["get", "list", "watch", "update", "create", "patch"]
62# GLBC creates and updates `networking.k8s.io/IngressClass`
63- apiGroups: ["networking.k8s.io"]
64 resources: ["ingressclasses"]
65 verbs: ["get", "list", "watch", "update", "create", "patch"]
66# GLBC uses leases for leader election
67- apiGroups: ["coordination.k8s.io"]
68 resources: ["leases"]
69 verbs: ["get","create","update"]
70 # GLBC uses endpoint slices
71- apiGroups: ["discovery.k8s.io"]
72 resources: ["endpointslices"]
73 verbs: ["get","list", "watch"]
View as plain text