| kind: ClusterRole |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: cluster-autoscaler |
| labels: |
| addonmanager.kubernetes.io/mode: Reconcile |
| rules: |
| # leader election |
| - apiGroups: [""] |
| resources: ["endpoints"] |
| verbs: ["create"] |
| - apiGroups: [""] |
| resources: ["endpoints"] |
| resourceNames: ["cluster-autoscaler"] |
| verbs: ["get", "update", "patch", "delete"] |
| # accessing & modifying cluster state (nodes & pods) |
| - apiGroups: [""] |
| resources: ["nodes"] |
| verbs: ["get", "list", "watch", "update", "patch"] |
| - apiGroups: [""] |
| resources: ["pods"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: [""] |
| resources: ["pods/eviction"] |
| verbs: ["create"] |
| # read-only access to cluster state |
| - apiGroups: [""] |
| resources: ["services", "replicationcontrollers", "persistentvolumes", "persistentvolumeclaims"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["apps", "extensions"] |
| resources: ["daemonsets", "replicasets"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["apps"] |
| resources: ["statefulsets"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["batch"] |
| resources: ["jobs"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["policy"] |
| resources: ["poddisruptionbudgets"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["storage.k8s.io"] |
| resources: ["storageclasses"] |
| verbs: ["get", "list", "watch"] |
| # misc access |
| - apiGroups: [""] |
| resources: ["events"] |
| verbs: ["create", "update", "patch"] |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| verbs: ["create"] |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| resourceNames: ["cluster-autoscaler-status"] |
| verbs: ["get", "update", "patch", "delete"] |
| --- |
| kind: ClusterRoleBinding |
| apiVersion: rbac.authorization.k8s.io/v1 |
| metadata: |
| name: cluster-autoscaler |
| labels: |
| addonmanager.kubernetes.io/mode: Reconcile |
| subjects: |
| - kind: User |
| name: cluster-autoscaler |
| namespace: kube-system |
| roleRef: |
| kind: ClusterRole |
| name: cluster-autoscaler |
| apiGroup: rbac.authorization.k8s.io |
| |