{{- with .Values }} {{- if and .managerRbac.create (not (include "traffic-manager.namespaced" $)) }} {{- /* This file contains all cluster-scoped permissions that the traffic manager needs. This will be larger if namespaced: false, or smaller if it is true This will also likely expand over time as we move more things from the clients domain into the traffic-manager. But the good news there is that it will require less permissions in clientRbac.yaml */}} {{- $roleName := (printf "traffic-manager-%s" (include "traffic-manager.namespace" $)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ $roleName }} labels: {{- include "telepresence.labels" $ | nindent 4 }} rules: - apiGroups: - "" resources: - services verbs: - update {{/* Only needed for upgrade of older versions */}} - apiGroups: - "" resources: - nodes - services - namespaces - pods verbs: - list - get - watch {{- if .agentInjector.enabled }} - apiGroups: - "" resources: - pods/eviction verbs: - create {{- end }} - apiGroups: - "" resources: - pods/log verbs: - get - apiGroups: - "apps" resources: - deployments - replicasets - statefulsets verbs: - get - list - watch {{- if .agentInjector.enabled }} - patch {{- end }} {{- if .workloads.argoRollouts.enabled }} - apiGroups: - "argoproj.io" resources: - rollouts verbs: - get - list - watch {{- if .agentInjector.enabled }} - patch {{- end }} {{- end }} - apiGroups: - "events.k8s.io" resources: - events verbs: - get - watch - apiGroups: - "networking.k8s.io" resources: - servicecidrs verbs: - list --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ $roleName }} labels: {{- include "telepresence.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ $roleName }} subjects: - kind: ServiceAccount name: traffic-manager namespace: {{ include "traffic-manager.namespace" $ }} {{- end }} {{- end }}