| # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
| # DO NOT EDIT! |
| # THIS IS A LEGACY CHART HERE FOR BACKCOMPAT |
| # UPDATED CHART AT manifests/charts/istio-control/istio-discovery |
| # -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: Role |
| metadata: |
| name: istiod-{{ .Values.global.istioNamespace }} |
| namespace: {{ .Values.global.istioNamespace }} |
| labels: |
| app: istiod |
| release: {{ .Release.Name }} |
| rules: |
| # permissions to verify the webhook is ready and rejecting |
| # invalid config. We use --server-dry-run so no config is persisted. |
| - apiGroups: ["networking.istio.io"] |
| verbs: ["create"] |
| resources: ["gateways"] |
| |
| # For storing CA secret |
| - apiGroups: [""] |
| resources: ["secrets"] |
| # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config |
| verbs: ["create", "get", "watch", "list", "update", "delete"] |