istio/src/istiod-istio-system-cr.yaml - k8s-gerrit - Git at Google

 # AddonComponents istio-tracing component is disabled.

 # Resources for Base component

 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: istiod-istio-system
   labels:
     app: istiod
     release: istio
 rules:
   # sidecar injection controller
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["mutatingwebhookconfigurations"]
     verbs: ["get", "list", "watch", "patch"]

   # configuration validation webhook controller
   - apiGroups: ["admissionregistration.k8s.io"]
     resources: ["validatingwebhookconfigurations"]
     verbs: ["get", "list", "watch", "update"]

   # permissions to verify the webhook is ready and rejecting
   # invalid config. We use --server-dry-run so no config is persisted.
   - apiGroups: ["networking.istio.io"]
     verbs: ["create"]
     resources: ["gateways"]

   # istio configuration
   - apiGroups: ["config.istio.io", "rbac.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
     verbs: ["get", "watch", "list"]
     resources: ["*"]

   # auto-detect installed CRD definitions
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]
     verbs: ["get", "list", "watch"]

   # discovery and routing
   - apiGroups: ["extensions","apps"]
     resources: ["deployments"]
     verbs: ["get", "list", "watch"]
   - apiGroups: [""]
     resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["discovery.k8s.io"]
     resources: ["endpointslices"]
     verbs: ["get", "list", "watch"]

   # ingress controller
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses", "ingressclasses"]
     verbs: ["get", "list", "watch"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses/status"]
     verbs: ["*"]

   # required for CA's namespace controller
   - apiGroups: [""]
     resources: ["configmaps"]
     verbs: ["create", "get", "list", "watch", "update"]

   # Istiod and bootstrap.
   - apiGroups: ["certificates.k8s.io"]
     resources:
       - "certificatesigningrequests"
       - "certificatesigningrequests/approval"
       - "certificatesigningrequests/status"
     verbs: ["update", "create", "get", "delete", "watch"]
   - apiGroups: ["certificates.k8s.io"]
     resources:
       - "signers"
     resourceNames:
     - "kubernetes.io/legacy-unknown"
     verbs: ["approve"]

   # Used by Istiod to verify the JWT tokens
   - apiGroups: ["authentication.k8s.io"]
     resources: ["tokenreviews"]
     verbs: ["create"]

   # TODO: remove, no longer needed at cluster
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["create", "get", "watch", "list", "update", "delete"]
   - apiGroups: [""]
     resources: ["serviceaccounts"]
     verbs: ["get", "watch", "list"]

   # Use for Kubernetes Service APIs
   - apiGroups: ["networking.x.k8s.io"]
     resources: ["*"]
     verbs: ["get", "watch", "list"]
	# AddonComponents istio-tracing component is disabled.

	# Resources for Base component

	apiVersion: rbac.authorization.k8s.io/v1
	kind: ClusterRole
	metadata:
	name: istiod-istio-system
	labels:
	app: istiod
	release: istio
	rules:
	# sidecar injection controller
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["mutatingwebhookconfigurations"]
	verbs: ["get", "list", "watch", "patch"]

	# configuration validation webhook controller
	- apiGroups: ["admissionregistration.k8s.io"]
	resources: ["validatingwebhookconfigurations"]
	verbs: ["get", "list", "watch", "update"]

	# permissions to verify the webhook is ready and rejecting
	# invalid config. We use --server-dry-run so no config is persisted.
	- apiGroups: ["networking.istio.io"]
	verbs: ["create"]
	resources: ["gateways"]

	# istio configuration
	- apiGroups: ["config.istio.io", "rbac.istio.io", "security.istio.io", "networking.istio.io", "authentication.istio.io"]
	verbs: ["get", "watch", "list"]
	resources: ["*"]

	# auto-detect installed CRD definitions
	- apiGroups: ["apiextensions.k8s.io"]
	resources: ["customresourcedefinitions"]
	verbs: ["get", "list", "watch"]

	# discovery and routing
	- apiGroups: ["extensions","apps"]
	resources: ["deployments"]
	verbs: ["get", "list", "watch"]
	- apiGroups: [""]
	resources: ["pods", "nodes", "services", "namespaces", "endpoints"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["discovery.k8s.io"]
	resources: ["endpointslices"]
	verbs: ["get", "list", "watch"]

	# ingress controller
	- apiGroups: ["networking.k8s.io"]
	resources: ["ingresses", "ingressclasses"]
	verbs: ["get", "list", "watch"]
	- apiGroups: ["networking.k8s.io"]
	resources: ["ingresses/status"]
	verbs: ["*"]

	# required for CA's namespace controller
	- apiGroups: [""]
	resources: ["configmaps"]
	verbs: ["create", "get", "list", "watch", "update"]

	# Istiod and bootstrap.
	- apiGroups: ["certificates.k8s.io"]
	resources:
	- "certificatesigningrequests"
	- "certificatesigningrequests/approval"
	- "certificatesigningrequests/status"
	verbs: ["update", "create", "get", "delete", "watch"]
	- apiGroups: ["certificates.k8s.io"]
	resources:
	- "signers"
	resourceNames:
	- "kubernetes.io/legacy-unknown"
	verbs: ["approve"]

	# Used by Istiod to verify the JWT tokens
	- apiGroups: ["authentication.k8s.io"]
	resources: ["tokenreviews"]
	verbs: ["create"]

	# TODO: remove, no longer needed at cluster
	- apiGroups: [""]
	resources: ["secrets"]
	verbs: ["create", "get", "watch", "list", "update", "delete"]
	- apiGroups: [""]
	resources: ["serviceaccounts"]
	verbs: ["get", "watch", "list"]

	# Use for Kubernetes Service APIs
	- apiGroups: ["networking.x.k8s.io"]
	resources: ["*"]
	verbs: ["get", "watch", "list"]