TrueChartsClone/charts/aws-event-sources/v0.1.0/templates/clusterroles.yaml

153 lines
3.1 KiB
YAML

# Copyright (c) 2020 TriggerMesh Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "aws-event-sources.fullname" . }}-controller
labels:
{{- include "aws-event-sources.labels" . | nindent 4 }}
rules:
# Record Kubernetes events
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- update
# Manage receive-adapters
- apiGroups:
- apps
resources:
- deployments
verbs: &all
- get
- list
- watch
- create
- update
- delete
- patch
- apiGroups:
- serving.knative.dev
resources:
- services
verbs: *all
# Read Source resources and update their statuses
- apiGroups:
- sources.triggermesh.io
resources:
- awscodecommitsources
- awscognitoidentitysources
- awscognitouserpoolsources
- awsdynamodbsources
- awsiotsources
- awskinesissources
- awssnssources
- awssqssources
verbs:
- list
- watch
- get
- patch
- apiGroups:
- sources.triggermesh.io
resources:
- awscodecommitsources/status
- awscognitoidentitysources/status
- awscognitouserpoolsources/status
- awsdynamodbsources/status
- awsiotsources/status
- awskinesissources/status
- awssnssources/status
- awssqssources/status
verbs:
- update
# Read controller configurations
- apiGroups:
- ''
resources:
- configmaps
verbs: &listwatch
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- config-logging
- config-observability
- config-leader-election
verbs:
- get
# Resolve sink URIs
- apiGroups:
- ''
resources:
- services
verbs: *listwatch
- apiGroups:
- serving.knative.dev
resources:
- services
verbs: *listwatch
- apiGroups:
- eventing.knative.dev
resources:
- brokers
verbs: *listwatch
- apiGroups:
- messaging.knative.dev
resources:
- channels
verbs: *listwatch
---
# The role is needed for the aggregated role source-observer in knative-eventing to provide readonly access to "Sources".
# see https://github.com/knative/eventing/blob/release-0.14/docs/spec/sources.md#source-rbac
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "aws-event-sources.fullname" . }}-observer
labels:
duck.knative.dev/source: 'true'
{{- include "aws-event-sources.labels" . | nindent 4 }}
rules:
- apiGroups:
- sources.triggermesh.io
resources:
- awscodecommitsources
- awscognitoidentitysources
- awscognitouserpoolsources
- awsdynamodbsources
- awsiotsources
- awskinesissources
- awssnssources
- awssqssources
verbs:
- get
- list
- watch
{{- end }}