| # AddonComponents istio-tracing component is disabled. |
| |
| # Resources for Base component |
| |
| apiVersion: rbac.authorization.k8s.io/v1 |
| kind: ClusterRole |
| metadata: |
| name: istiod-istio-system |
| labels: |
| app: istiod |
| release: istio |
| rules: |
| # sidecar injection controller |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["mutatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "patch"] |
| |
| # configuration validation webhook controller |
| - apiGroups: ["admissionregistration.k8s.io"] |
| resources: ["validatingwebhookconfigurations"] |
| verbs: ["get", "list", "watch", "update"] |
| |
| # permissions to verify the webhook is ready and rejecting |
| # invalid config. We use --server-dry-run so no config is persisted. |
| - apiGroups: ["networking.istio.io"] |
| verbs: ["create"] |
| resources: ["gateways"] |
| |
| # istio configuration |
| - apiGroups: ["config.istio.io", "rbac.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"] |
| verbs: ["get", "watch", "list"] |
| resources: ["*"] |
| |
| # auto-detect installed CRD definitions |
| - apiGroups: ["apiextensions.k8s.io"] |
| resources: ["customresourcedefinitions"] |
| verbs: ["get", "list", "watch"] |
| |
| # discovery and routing |
| - apiGroups: ["extensions","apps"] |
| resources: ["deployments"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: [""] |
| resources: ["pods", "nodes", "services", "namespaces", "endpoints"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["discovery.k8s.io"] |
| resources: ["endpointslices"] |
| verbs: ["get", "list", "watch"] |
| |
| # ingress controller |
| - apiGroups: ["networking.k8s.io"] |
| resources: ["ingresses", "ingressclasses"] |
| verbs: ["get", "list", "watch"] |
| - apiGroups: ["networking.k8s.io"] |
| resources: ["ingresses/status"] |
| verbs: ["*"] |
| |
| # required for CA's namespace controller |
| - apiGroups: [""] |
| resources: ["configmaps"] |
| verbs: ["create", "get", "list", "watch", "update"] |
| |
| # Istiod and bootstrap. |
| - apiGroups: ["certificates.k8s.io"] |
| resources: |
| - "certificatesigningrequests" |
| - "certificatesigningrequests/approval" |
| - "certificatesigningrequests/status" |
| verbs: ["update", "create", "get", "delete", "watch"] |
| - apiGroups: ["certificates.k8s.io"] |
| resources: |
| - "signers" |
| resourceNames: |
| - "kubernetes.io/legacy-unknown" |
| verbs: ["approve"] |
| |
| # Used by Istiod to verify the JWT tokens |
| - apiGroups: ["authentication.k8s.io"] |
| resources: ["tokenreviews"] |
| verbs: ["create"] |
| |
| # TODO: remove, no longer needed at cluster |
| - apiGroups: [""] |
| resources: ["secrets"] |
| verbs: ["create", "get", "watch", "list", "update", "delete"] |
| - apiGroups: [""] |
| resources: ["serviceaccounts"] |
| verbs: ["get", "watch", "list"] |
| |
| # Use for Kubernetes Service APIs |
| - apiGroups: ["networking.x.k8s.io"] |
| resources: ["*"] |
| verbs: ["get", "watch", "list"] |