--- ### ### Linkerd Namespace ### --- kind: Namespace apiVersion: v1 metadata: name: linkerd annotations: linkerd.io/inject: disabled --- ### ### Identity Controller Service RBAC ### --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-linkerd-identity rules: - apiGroups: ["authentication.k8s.io"] resources: ["tokenreviews"] verbs: ["create"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-linkerd-identity roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-identity subjects: - kind: ServiceAccount name: linkerd-identity namespace: linkerd --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-identity namespace: linkerd --- ### ### Controller RBAC ### --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-linkerd-controller rules: - apiGroups: ["extensions", "apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["list", "get", "watch"] - apiGroups: ["extensions", "batch"] resources: ["jobs"] verbs: ["list" , "get", "watch"] - apiGroups: [""] resources: ["pods", "endpoints", "services", "replicationcontrollers", "namespaces"] verbs: ["list", "get", "watch"] - apiGroups: ["linkerd.io"] resources: ["serviceprofiles"] verbs: ["list", "get", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-linkerd-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-controller subjects: - kind: ServiceAccount name: linkerd-controller namespace: linkerd --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-controller namespace: linkerd --- ### ### Service Profile CRD ### --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: serviceprofiles.linkerd.io annotations: linkerd.io/created-by: linkerd/cli dev-undefined spec: group: linkerd.io version: v1alpha1 scope: Namespaced names: plural: serviceprofiles singular: serviceprofile kind: ServiceProfile shortNames: - sp --- ### ### Prometheus RBAC ### --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-prometheus namespace: linkerd --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-linkerd-prometheus rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: linkerd-linkerd-prometheus roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: linkerd-linkerd-prometheus subjects: - kind: ServiceAccount name: linkerd-prometheus namespace: linkerd --- ### ### Proxy Injector RBAC ### --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-proxy-injector namespace: linkerd --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-proxy-injector rules: - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations"] verbs: ["create", "get", "delete"] - apiGroups: [""] resources: ["namespaces"] verbs: ["list", "get", "watch"] - apiGroups: [""] resources: ["pods"] verbs: ["list"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["list", "get", "watch"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-proxy-injector subjects: - kind: ServiceAccount name: linkerd-proxy-injector namespace: linkerd apiGroup: "" roleRef: kind: ClusterRole name: linkerd-linkerd-proxy-injector apiGroup: rbac.authorization.k8s.io --- ### ### Service Profile Validator RBAC ### --- kind: ServiceAccount apiVersion: v1 metadata: name: linkerd-sp-validator namespace: linkerd --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-sp-validator rules: - apiGroups: [""] resources: ["pods"] verbs: ["list"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["create", "get", "delete"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: linkerd-linkerd-sp-validator subjects: - kind: ServiceAccount name: linkerd-sp-validator namespace: linkerd apiGroup: "" roleRef: kind: ClusterRole name: linkerd-linkerd-sp-validator apiGroup: rbac.authorization.k8s.io ---