mirror of https://github.com/linkerd/linkerd2.git
71 lines
1.6 KiB
YAML
71 lines
1.6 KiB
YAML
{{with .Values -}}
|
|
---
|
|
###
|
|
### Service Profile Validator RBAC
|
|
###
|
|
---
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-{{.Namespace}}-sp-validator
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["list"]
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: linkerd-{{.Namespace}}-sp-validator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: linkerd-sp-validator
|
|
namespace: {{.Namespace}}
|
|
apiGroup: ""
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: linkerd-{{.Namespace}}-sp-validator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
kind: ServiceAccount
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-sp-validator
|
|
namespace: {{.Namespace}}
|
|
---
|
|
kind: Secret
|
|
apiVersion: v1
|
|
metadata:
|
|
name: linkerd-sp-validator-tls
|
|
namespace: {{ .Namespace }}
|
|
labels:
|
|
{{ .ControllerComponentLabel }}: sp-validator
|
|
annotations:
|
|
{{ .CreatedByAnnotation }}: {{ .CliVersion }}
|
|
type: Opaque
|
|
data:
|
|
crt.pem: {{ b64enc .ProfileValidator.CrtPEM }}
|
|
key.pem: {{ b64enc .ProfileValidator.KeyPEM }}
|
|
---
|
|
apiVersion: admissionregistration.k8s.io/v1beta1
|
|
kind: ValidatingWebhookConfiguration
|
|
metadata:
|
|
name: linkerd-{{ .Namespace }}-sp-validator-webhook-config
|
|
labels:
|
|
{{ .ControllerComponentLabel }}: sp-validator
|
|
webhooks:
|
|
- name: linkerd-sp-validator.linkerd.io
|
|
clientConfig:
|
|
service:
|
|
name: linkerd-sp-validator
|
|
namespace: {{ .Namespace }}
|
|
path: "/"
|
|
caBundle: {{ b64enc .ProfileValidator.CrtPEM }}
|
|
failurePolicy: Fail
|
|
rules:
|
|
- operations: [ "CREATE" , "UPDATE" ]
|
|
apiGroups: ["linkerd.io"]
|
|
apiVersions: ["v1alpha1"]
|
|
resources: ["serviceprofiles"]
|
|
{{end -}}
|