mirror of https://github.com/linkerd/linkerd2.git
Create proxy-injector RBAC resources before deployment (#2707)
Fixes #2694 Signed-off-by: Douglas Jordan <dwj300@gmail.com>
This commit is contained in:
Douglas Jordan
Ivan Sim
parent
e6a29728c8
commit
80634d6c8b
|
|
@ -5,6 +5,44 @@
|
||||||
### Proxy Injector
|
### Proxy Injector
|
||||||
###
|
###
|
||||||
---
|
---
|
||||||
|
kind: ServiceAccount
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-proxy-injector
|
||||||
|
namespace: {{.Namespace}}
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-{{.Namespace}}-proxy-injector
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
|
verbs: ["create", "get", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["namespaces"]
|
||||||
|
verbs: ["list", "get", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["list"]
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["replicasets"]
|
||||||
|
verbs: ["list", "get", "watch"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-{{.Namespace}}-proxy-injector
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: linkerd-proxy-injector
|
||||||
|
namespace: {{.Namespace}}
|
||||||
|
apiGroup: ""
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: linkerd-{{.Namespace}}-proxy-injector
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
metadata:
|
metadata:
|
||||||
|
|
@ -61,44 +99,6 @@ spec:
|
||||||
configMap:
|
configMap:
|
||||||
name: linkerd-config
|
name: linkerd-config
|
||||||
---
|
---
|
||||||
kind: ServiceAccount
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-proxy-injector
|
|
||||||
namespace: {{.Namespace}}
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-{{.Namespace}}-proxy-injector
|
|
||||||
rules:
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
|
||||||
verbs: ["create", "get", "delete"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["namespaces"]
|
|
||||||
verbs: ["list", "get", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods"]
|
|
||||||
verbs: ["list"]
|
|
||||||
- apiGroups: ["apps"]
|
|
||||||
resources: ["replicasets"]
|
|
||||||
verbs: ["list", "get", "watch"]
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-{{.Namespace}}-proxy-injector
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: linkerd-proxy-injector
|
|
||||||
namespace: {{.Namespace}}
|
|
||||||
apiGroup: ""
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: linkerd-{{.Namespace}}-proxy-injector
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
kind: Service
|
kind: Service
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
||||||
|
|
@ -1333,6 +1333,44 @@ data:
|
||||||
### Proxy Injector
|
### Proxy Injector
|
||||||
###
|
###
|
||||||
---
|
---
|
||||||
|
kind: ServiceAccount
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-proxy-injector
|
||||||
|
namespace: linkerd
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-linkerd-proxy-injector
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
|
verbs: ["create", "get", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["namespaces"]
|
||||||
|
verbs: ["list", "get", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["list"]
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["replicasets"]
|
||||||
|
verbs: ["list", "get", "watch"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-linkerd-proxy-injector
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: linkerd-proxy-injector
|
||||||
|
namespace: linkerd
|
||||||
|
apiGroup: ""
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: linkerd-linkerd-proxy-injector
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
|
|
@ -1480,44 +1518,6 @@ spec:
|
||||||
name: linkerd-identity-end-entity
|
name: linkerd-identity-end-entity
|
||||||
status: {}
|
status: {}
|
||||||
---
|
---
|
||||||
kind: ServiceAccount
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-proxy-injector
|
|
||||||
namespace: linkerd
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-linkerd-proxy-injector
|
|
||||||
rules:
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
|
||||||
verbs: ["create", "get", "delete"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["namespaces"]
|
|
||||||
verbs: ["list", "get", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods"]
|
|
||||||
verbs: ["list"]
|
|
||||||
- apiGroups: ["apps"]
|
|
||||||
resources: ["replicasets"]
|
|
||||||
verbs: ["list", "get", "watch"]
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-linkerd-proxy-injector
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: linkerd-proxy-injector
|
|
||||||
namespace: linkerd
|
|
||||||
apiGroup: ""
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: linkerd-linkerd-proxy-injector
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
kind: Service
|
kind: Service
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
||||||
|
|
@ -1278,6 +1278,44 @@ data:
|
||||||
### Proxy Injector
|
### Proxy Injector
|
||||||
###
|
###
|
||||||
---
|
---
|
||||||
|
kind: ServiceAccount
|
||||||
|
apiVersion: v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-proxy-injector
|
||||||
|
namespace: Namespace
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-Namespace-proxy-injector
|
||||||
|
rules:
|
||||||
|
- apiGroups: ["admissionregistration.k8s.io"]
|
||||||
|
resources: ["mutatingwebhookconfigurations"]
|
||||||
|
verbs: ["create", "get", "delete"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["namespaces"]
|
||||||
|
verbs: ["list", "get", "watch"]
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["list"]
|
||||||
|
- apiGroups: ["apps"]
|
||||||
|
resources: ["replicasets"]
|
||||||
|
verbs: ["list", "get", "watch"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: linkerd-Namespace-proxy-injector
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: linkerd-proxy-injector
|
||||||
|
namespace: Namespace
|
||||||
|
apiGroup: ""
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: linkerd-Namespace-proxy-injector
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
|
|
@ -1414,44 +1452,6 @@ spec:
|
||||||
name: config
|
name: config
|
||||||
status: {}
|
status: {}
|
||||||
---
|
---
|
||||||
kind: ServiceAccount
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-proxy-injector
|
|
||||||
namespace: Namespace
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-Namespace-proxy-injector
|
|
||||||
rules:
|
|
||||||
- apiGroups: ["admissionregistration.k8s.io"]
|
|
||||||
resources: ["mutatingwebhookconfigurations"]
|
|
||||||
verbs: ["create", "get", "delete"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["namespaces"]
|
|
||||||
verbs: ["list", "get", "watch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods"]
|
|
||||||
verbs: ["list"]
|
|
||||||
- apiGroups: ["apps"]
|
|
||||||
resources: ["replicasets"]
|
|
||||||
verbs: ["list", "get", "watch"]
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: linkerd-Namespace-proxy-injector
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: linkerd-proxy-injector
|
|
||||||
namespace: Namespace
|
|
||||||
apiGroup: ""
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: linkerd-Namespace-proxy-injector
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
kind: Service
|
kind: Service
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
metadata:
|
metadata:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue