| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: Role |
| metadata: |
| name: istiod{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }} |
| namespace: {{ .Values.global.istioNamespace }} |
| labels: |
| app: istiod |
| release: {{ .Release.Name }} |
| rules: |
| # permissions to verify the webhook is ready and rejecting |
| # invalid config. We use --server-dry-run so no config is persisted. |
| - apiGroups: ["networking.istio.io"] |
| verbs: ["create"] |
| resources: ["gateways"] |
| |
| # For storing CA secret |
| - apiGroups: [""] |
| resources: ["secrets"] |
| # TODO lock this down to istio-ca-cert if not using the DNS cert mesh config |
| verbs: ["create", "get", "watch", "list", "update", "delete"] |