| {{- if .Values.global.configCluster }} |
| {{ $mcsAPIGroup := or .Values.pilot.env.MCS_API_GROUP "multicluster.x-k8s.io" }} |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: istiod-clusterrole{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} |
| labels: |
| app: istiod |
| release: {{ .Release.Name }} |
| rules: |
| # sidecar injection controller |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["mutatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "update", "patch"] |
| |
| # configuration validation webhook controller |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["validatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "update"] |
| |
| # istio configuration |
| # removing CRD permissions can break older versions of Istio running alongside this control plane (https://github.com/istio/istio/issues/29382) |
| # please proceed with caution |
| - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] |
| verbs: ["get", "watch", "list"] |
| resources: ["*"] |
| {{- if .Values.global.istiod.enableAnalysis }} |
| - apiGroups: ["config.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io", "rbac.istio.io", "telemetry.istio.io", "extensions.istio.io"] |
| verbs: ["update"] |
| # TODO: should be on just */status but wildcard is not supported |
| resources: ["*"] |
| {{- end }} |
| - apiGroups: ["networking.istio.io"] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| resources: [ "workloadentries" ] |
| - apiGroups: ["networking.istio.io"] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| resources: [ "workloadentries/status" ] |
| |
| # auto-detect installed CRD definitions |
| - apiGroups: ["apiextensions.k8s.io"] |
| resources: ["customresourcedefinitions"] |
| verbs: ["get", "list", "watch"] |
| |
| # discovery and routing |
| - apiGroups: [""] |
| resources: ["pods", "nodes", "services", "namespaces", "endpoints"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["discovery.k8s.io"] |
| resources: ["endpointslices"] |
| verbs: ["get", "list", "watch"] |
| |
| # ingress controller |
| {{- if .Values.global.istiod.enableAnalysis }} |
| - apiGroups: ["extensions", "networking.k8s.io"] |
| resources: ["ingresses"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["extensions", "networking.k8s.io"] |
| resources: ["ingresses/status"] |
| verbs: ["*"] |
| {{- end}} |
| - apiGroups: ["networking.k8s.io"] |
| resources: ["ingresses", "ingressclasses"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["networking.k8s.io"] |
| resources: ["ingresses/status"] |
| verbs: ["*"] |
| |
| # required for CA's namespace controller |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| verbs: ["create", "get", "list", "watch", "update"] |
| |
| # Istiod and bootstrap. |
| - apiGroups: ["certificates.k8s.io"] |
| resources: |
| - "certificatesigningrequests" |
| - "certificatesigningrequests/approval" |
| - "certificatesigningrequests/status" |
| verbs: ["update", "create", "get", "delete", "watch"] |
| - apiGroups: ["certificates.k8s.io"] |
| resources: |
| - "signers" |
| resourceNames: |
| - "kubernetes.io/legacy-unknown" |
| verbs: ["approve"] |
| |
| # Used by Istiod to verify the JWT tokens |
| - apiGroups: ["authentication.k8s.io"] |
| resources: ["tokenreviews"] |
| verbs: ["create"] |
| |
| # Used by Istiod to verify gateway SDS |
| - apiGroups: ["authorization.k8s.io"] |
| resources: ["subjectaccessreviews"] |
| verbs: ["create"] |
| |
| # Use for Kubernetes Service APIs |
| - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] |
| resources: ["*"] |
| verbs: ["get", "watch", "list"] |
| - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] |
| resources: ["*"] # TODO: should be on just */status but wildcard is not supported |
| verbs: ["update", "patch"] |
| - apiGroups: ["gateway.networking.k8s.io"] |
| resources: ["gatewayclasses"] |
| verbs: ["create", "update", "patch", "delete"] |
| |
| # Needed for multicluster secret reading, possibly ingress certs in the future |
| - apiGroups: [""] |
| resources: ["secrets"] |
| verbs: ["get", "watch", "list"] |
| |
| # Used for MCS serviceexport management |
| - apiGroups: ["{{ $mcsAPIGroup }}"] |
| resources: ["serviceexports"] |
| verbs: [ "get", "watch", "list", "create", "delete"] |
| |
| # Used for MCS serviceimport management |
| - apiGroups: ["{{ $mcsAPIGroup }}"] |
| resources: ["serviceimports"] |
| verbs: ["get", "watch", "list"] |
| |
| # Used for Service Name Mapping |
| - apiGroups: ["extensions.istio.io"] |
| resources: ["servicenamemappings"] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| # Used for Service Metadata |
| - apiGroups: ["extensions.istio.io"] |
| resources: ["servicemetadatas"] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| --- |
| {{- if not (eq (toString .Values.pilot.env.PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER) "false") }} |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: istiod-gateway-controller{{- if not (eq .Values.revision "")}}-{{ .Values.revision }}{{- end }}-{{ .Release.Namespace }} |
| labels: |
| app: istiod |
| release: {{ .Release.Name }} |
| rules: |
| - apiGroups: ["apps"] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| resources: [ "deployments" ] |
| - apiGroups: [""] |
| verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] |
| resources: [ "services" ] |
| {{- end }} |
| {{- end }} |