...

Text file src/k8s.io/kubernetes/cluster/addons/rbac/cluster-loadbalancing/glbc/roles.yaml

Documentation: k8s.io/kubernetes/cluster/addons/rbac/cluster-loadbalancing/glbc

     1apiVersion: rbac.authorization.k8s.io/v1
     2kind: Role
     3metadata:
     4  name: system:controller:glbc
     5  namespace: kube-system
     6  labels:
     7    addonmanager.kubernetes.io/mode: Reconcile
     8rules:
     9- apiGroups: [""]
    10  resources: ["configmaps"]
    11  verbs: ["get", "list", "watch", "update", "create", "patch"]
    12---
    13apiVersion: rbac.authorization.k8s.io/v1
    14kind: ClusterRole
    15metadata:
    16  name: system:controller:glbc
    17  labels:
    18    addonmanager.kubernetes.io/mode: Reconcile
    19rules:
    20- apiGroups: [""]
    21  resources: ["secrets"]
    22  verbs: ["get"]
    23- apiGroups: [""]
    24  resources: ["events"]
    25  verbs: ["get", "list", "watch", "update", "create", "patch"]
    26- apiGroups: [""]
    27  resources: ["endpoints", "services", "pods", "nodes", "namespaces"]
    28  verbs: ["get", "list", "watch"]
    29# TODO: switch to patch services/status
    30# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L339-L342
    31# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L359-L361
    32- apiGroups: [""]
    33  resources: ["services", "services/status"]
    34  verbs: ["update", "patch"]
    35- apiGroups: ["extensions", "networking.k8s.io"]
    36  resources: ["ingresses"]
    37  verbs: ["get", "list", "watch"]
    38# For now, GLBC annotates ingress resources with various state and statuses:
    39# https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579
    40# TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status`
    41- apiGroups: ["extensions", "networking.k8s.io"]
    42  resources: ["ingresses"]
    43  verbs: ["update"]
    44- apiGroups: ["extensions", "networking.k8s.io"]
    45  resources: ["ingresses/status"]
    46  verbs: ["update", "patch"]
    47# GLBC ensures that the `cloud.google.com/backendconfigs` and `networking.gke.io/servicenetworkendpointgroups` CRD exists in a desired state:
    48# https://github.com/kubernetes/ingress-gce/blob/5c3fcb5845e74b92ea8bd52929b15fc5c9fa7970/cmd/glbc/main.go#L108
    49# https://github.com/kubernetes/ingress-gce/blob/5c3fcb5845e74b92ea8bd52929b15fc5c9fa7970/cmd/glbc/main.go#L133
    50# GLBC creates and updates `networking.gke.io/GCPIngressParams`
    51# https://github.com/kubernetes/ingress-gce/blob/7f0928629c85e7a54c6af9e6e490ac89d057461a/cmd/glbc/main.go#L151-L162
    52# TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744
    53- apiGroups: ["apiextensions.k8s.io"]
    54  resources: ["customresourcedefinitions"]
    55  verbs: ["get", "list", "watch", "update", "create", "patch"]
    56- apiGroups: ["cloud.google.com"]
    57  resources: ["backendconfigs"]
    58  verbs: ["get", "list", "watch", "update", "create", "patch"]
    59- apiGroups: ["networking.gke.io"]
    60  resources: ["servicenetworkendpointgroups","gcpingressparams"]
    61  verbs: ["get", "list", "watch", "update", "create", "patch"]
    62# GLBC creates and updates `networking.k8s.io/IngressClass`
    63- apiGroups: ["networking.k8s.io"]
    64  resources: ["ingressclasses"]
    65  verbs: ["get", "list", "watch", "update", "create", "patch"]
    66# GLBC uses leases for leader election
    67- apiGroups: ["coordination.k8s.io"]
    68  resources: ["leases"]
    69  verbs: ["get","create","update"]
    70 # GLBC uses endpoint slices
    71- apiGroups: ["discovery.k8s.io"]
    72  resources: ["endpointslices"]
    73  verbs: ["get","list", "watch"]

View as plain text