| # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
| # DO NOT EDIT! |
| # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT |
| # UPDATED CHART AT manifests/charts/istio-control/istio-discovery |
| # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: istiod-{{ .Values.global.istioNamespace }} |
| labels: |
| app: istiod |
| release: {{ .Release.Name }} |
| rules: |
| # sidecar injection controller |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["mutatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "update", "patch"] |
| |
| # configuration validation webhook controller |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["validatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "update"] |
| |
| # istio configuration |
| # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) |
| # please proceed with caution |
| - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] |
| verbs: ["get", "watch", "list"] |
| resources: ["*"] |
| {{- if .Values.global.istiod.enableAnalysis }} |
| - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io"] |
| verbs: ["update"] |
| # TODO: should be on just */status but wildcard is not supported |
| resources: ["*"] |
| {{- end }} |
| - apiGroups: ["networking.istio.io"] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| resources: [ "workloadentries" ] |
| - apiGroups: ["networking.istio.io"] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| resources: [ "workloadentries/status" ] |
| |
| # auto-detect installed CRD definitions |
| - apiGroups: ["apiextensions.k8s.io"] |
| resources: ["customresourcedefinitions"] |
| verbs: ["get", "list", "watch"] |
| |
| # discovery and routing |
| - apiGroups: [""] |
| resources: ["pods", "nodes", "services", "namespaces", "endpoints"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["discovery.k8s.io"] |
| resources: ["endpointslices"] |
| verbs: ["get", "list", "watch"] |
| |
| # ingress controller |
| {{- if .Values.global.istiod.enableAnalysis }} |
| - apiGroups: ["extensions", "networking.k8s.io"] |
| resources: ["ingresses"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["extensions", "networking.k8s.io"] |
| resources: ["ingresses/status"] |
| verbs: ["*"] |
| {{- end}} |
| - apiGroups: ["networking.k8s.io"] |
| resources: ["ingresses", "ingressclasses"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["networking.k8s.io"] |
| resources: ["ingresses/status"] |
| verbs: ["*"] |
| |
| # required for CA's namespace controller |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| verbs: ["create", "get", "list", "watch", "update"] |
| |
| # Istiod and bootstrap. |
| - apiGroups: ["certificates.k8s.io"] |
| resources: |
| - "certificatesigningrequests" |
| - "certificatesigningrequests/approval" |
| - "certificatesigningrequests/status" |
| verbs: ["update", "create", "get", "delete", "watch"] |
| - apiGroups: ["certificates.k8s.io"] |
| resources: |
| - "signers" |
| resourceNames: |
| - "kubernetes.io/legacy-unknown" |
| verbs: ["approve"] |
| |
| # Used by Istiod to verify the JWT tokens |
| - apiGroups: ["authentication.k8s.io"] |
| resources: ["tokenreviews"] |
| verbs: ["create"] |
| |
| # Used by Istiod to verify gateway SDS |
| - apiGroups: ["authorization.k8s.io"] |
| resources: ["subjectaccessreviews"] |
| verbs: ["create"] |
| |
| # Use for Kubernetes Service APIs |
| - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] |
| resources: ["*"] |
| verbs: ["get", "watch", "list"] |
| - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] |
| resources: ["*"] # TODO: should be on just */status but wildcard is not supported |
| verbs: ["update"] |
| - apiGroups: ["gateway.networking.k8s.io"] |
| resources: ["gatewayclasses"] |
| verbs: ["create", "update", "patch", "delete"] |
| |
| # Needed for multicluster secret reading, possibly ingress certs in the future |
| - apiGroups: [""] |
| resources: ["secrets"] |
| verbs: ["get", "watch", "list"] |
| |
| # Used for MCS serviceexport management |
| - apiGroups: ["multicluster.x-k8s.io"] |
| resources: ["serviceexports"] |
| verbs: ["get", "watch", "list", "create", "delete"] |
| |
| # Used for MCS serviceimport management |
| - apiGroups: ["multicluster.x-k8s.io"] |
| resources: ["serviceimports"] |
| verbs: ["get", "watch", "list"] |
| --- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: istio-reader-{{ .Values.global.istioNamespace }} |
| labels: |
| app: istio-reader |
| release: {{ .Release.Name }} |
| rules: |
| - apiGroups: |
| - "config.istio.io" |
| - "security.istio.io" |
| - "networking.istio.io" |
| - "authentication.istio.io" |
| - "rbac.istio.io" |
| resources: ["*"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: [""] |
| resources: ["endpoints", "pods", "services", "nodes", "replicationcontrollers", "namespaces", "secrets"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["networking.istio.io"] |
| verbs: [ "get", "watch", "list" ] |
| resources: [ "workloadentries" ] |
| - apiGroups: ["apiextensions.k8s.io"] |
| resources: ["customresourcedefinitions"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["discovery.k8s.io"] |
| resources: ["endpointslices"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["apps"] |
| resources: ["replicasets"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["authentication.k8s.io"] |
| resources: ["tokenreviews"] |
| verbs: ["create"] |
| - apiGroups: ["authorization.k8s.io"] |
| resources: ["subjectaccessreviews"] |
| verbs: ["create"] |
| - apiGroups: ["multicluster.x-k8s.io"] |
| resources: ["serviceexports"] |
| verbs: ["get", "watch", "list"] |
| - apiGroups: ["multicluster.x-k8s.io"] |
| resources: ["serviceimports"] |
| verbs: ["get", "watch", "list"] |
| {{- if or .Values.global.externalIstiod }} |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| verbs: ["create", "get", "list", "watch", "update"] |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["mutatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "update", "patch"] |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["validatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "update"] |
| {{- end}} |
| --- |