45 lines
1.7 KiB
YAML
45 lines
1.7 KiB
YAML
# Challenges controller role
|
||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||
kind: ClusterRole
|
||
metadata:
|
||
name: cert-manager-controller-challenges
|
||
labels:
|
||
app: cert-manager
|
||
app.kubernetes.io/name: cert-manager
|
||
app.kubernetes.io/instance: cert-manager
|
||
app.kubernetes.io/managed-by: Tiller
|
||
helm.sh/chart: cert-manager-v0.9.0
|
||
rules:
|
||
# Use to update challenge resource status
|
||
- apiGroups: ["certmanager.k8s.io"]
|
||
resources: ["challenges", "challenges/status"]
|
||
verbs: ["update"]
|
||
# Used to watch challenges, issuer and clusterissuer resources
|
||
- apiGroups: ["certmanager.k8s.io"]
|
||
resources: ["challenges", "issuers", "clusterissuers"]
|
||
verbs: ["get", "list", "watch"]
|
||
# Need to be able to retrieve ACME account private key to complete challenges
|
||
- apiGroups: [""]
|
||
resources: ["secrets"]
|
||
verbs: ["get", "list", "watch"]
|
||
# Used to create events
|
||
- apiGroups: [""]
|
||
resources: ["events"]
|
||
verbs: ["create", "patch"]
|
||
# HTTP01 rules
|
||
- apiGroups: [""]
|
||
resources: ["pods", "services"]
|
||
verbs: ["get", "list", "watch", "create", "delete"]
|
||
- apiGroups: ["extensions"]
|
||
resources: ["ingresses"]
|
||
verbs: ["get", "list", "watch", "create", "delete", "update"]
|
||
# We require these rules to support users with the OwnerReferencesPermissionEnforcement
|
||
# admission controller enabled:
|
||
# https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
|
||
- apiGroups: ["certmanager.k8s.io"]
|
||
resources: ["challenges/finalizers"]
|
||
verbs: ["update"]
|
||
# DNS01 rules (duplicated above)
|
||
- apiGroups: [""]
|
||
resources: ["secrets"]
|
||
verbs: ["get", "list", "watch"]
|