diff options
Diffstat (limited to 'roles/openshift_service_catalog/files')
-rw-r--r-- | roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml | 217 | ||||
-rw-r--r-- | roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml | 40 |
2 files changed, 257 insertions, 0 deletions
diff --git a/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml new file mode 100644 index 000000000..f449fba2b --- /dev/null +++ b/roles/openshift_service_catalog/files/kubeservicecatalog_roles_bindings.yml @@ -0,0 +1,217 @@ +apiVersion: v1 +kind: Template +metadata: + name: service-catalog-role-bindings +objects: + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: servicecatalog-serviceclass-viewer + rules: + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterserviceclasses + - clusterserviceplans + verbs: + - list + - watch + - get + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: servicecatalog-serviceclass-viewer-binding + roleRef: + name: servicecatalog-serviceclass-viewer + groupNames: + - system:authenticated + +- kind: ServiceAccount + apiVersion: v1 + metadata: + name: service-catalog-controller + +- kind: ServiceAccount + apiVersion: v1 + metadata: + name: service-catalog-apiserver + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: sar-creator + rules: + - apiGroups: + - "" + resources: + - subjectaccessreviews.authorization.k8s.io + verbs: + - create + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-sar-creator-binding + roleRef: + name: sar-creator + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: namespace-viewer + rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - list + - watch + - get + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-namespace-viewer-binding + roleRef: + name: namespace-viewer + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-controller-namespace-viewer-binding + roleRef: + name: namespace-viewer + subjects: + - kind: ServiceAccount + name: service-catalog-controller + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRole + metadata: + name: service-catalog-controller + rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update + - patch + - delete + - get + - list + - watch + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterservicebrokers/status + - serviceinstances/status + - servicebindings/status + - servicebindings/finalizers + - serviceinstances/reference + verbs: + - update + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterservicebrokers + - serviceinstances + - servicebindings + verbs: + - list + - get + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - patch + - create + - apiGroups: + - servicecatalog.k8s.io + resources: + - clusterserviceclasses + - clusterserviceplans + verbs: + - create + - delete + - update + - patch + - get + - list + - watch + - apiGroups: + - settings.k8s.io + resources: + - podpresets + verbs: + - create + - update + - delete + - get + - list + - watch + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: service-catalog-controller-binding + roleRef: + name: service-catalog-controller + subjects: + - kind: ServiceAccount + name: service-catalog-controller + namespace: kube-service-catalog + +- apiVersion: authorization.openshift.io/v1 + kind: Role + metadata: + name: endpoint-accessor + rules: + - apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch + - get + - create + - update + +- apiVersion: authorization.openshift.io/v1 + kind: RoleBinding + metadata: + name: endpointer-accessor-binding + roleRef: + name: endpoint-accessor + namespace: kube-service-catalog + subjects: + - kind: ServiceAccount + namespace: kube-service-catalog + name: service-catalog-controller + +- apiVersion: authorization.openshift.io/v1 + kind: ClusterRoleBinding + metadata: + name: system:auth-delegator-binding + roleRef: + name: system:auth-delegator + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog diff --git a/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml new file mode 100644 index 000000000..f563ae42e --- /dev/null +++ b/roles/openshift_service_catalog/files/kubesystem_roles_bindings.yml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Template +metadata: + name: kube-system-service-catalog-role-bindings +objects: + +- apiVersion: authorization.openshift.io/v1 + kind: Role + metadata: + name: extension-apiserver-authentication-reader + namespace: ${KUBE_SYSTEM_NAMESPACE} + rules: + - apiGroups: + - "" + resourceNames: + - extension-apiserver-authentication + resources: + - configmaps + verbs: + - get + +- apiVersion: authorization.openshift.io/v1 + kind: RoleBinding + metadata: + name: extension-apiserver-authentication-reader-binding + namespace: ${KUBE_SYSTEM_NAMESPACE} + roleRef: + name: extension-apiserver-authentication-reader + namespace: ${KUBE_SYSTEM_NAMESPACE} + subjects: + - kind: ServiceAccount + name: service-catalog-apiserver + namespace: kube-service-catalog + +parameters: +- description: Do not change this value. + displayName: Name of the kube-system namespace + name: KUBE_SYSTEM_NAMESPACE + required: true + value: kube-system |