linkerd2/chart/templates/proxy_injector-rbac.yaml

{{with .Values -}}
---
###
### Proxy Injector RBAC
###
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: linkerd-{{.Namespace}}-proxy-injector
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list", "get", "watch"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["list"]
- apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["list", "get", "watch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: linkerd-{{.Namespace}}-proxy-injector
subjects:
- kind: ServiceAccount
  name: linkerd-proxy-injector
  namespace: {{.Namespace}}
  apiGroup: ""
roleRef:
  kind: ClusterRole
  name: linkerd-{{.Namespace}}-proxy-injector
  apiGroup: rbac.authorization.k8s.io
---
kind: ServiceAccount
apiVersion: v1
metadata:
  name: linkerd-proxy-injector
  namespace: {{.Namespace}}
---
kind: Secret
apiVersion: v1
metadata:
  name: linkerd-proxy-injector-tls
  namespace: {{ .Namespace }}
  labels:
    {{ .ControllerComponentLabel }}: proxy-injector
  annotations:
    {{ .CreatedByAnnotation }}: {{ .CliVersion }}
type: Opaque
data:
  crt.pem: {{ b64enc .ProxyInjector.CrtPEM }}
  key.pem: {{ b64enc .ProxyInjector.KeyPEM }}
---
apiVersion: admissionregistration.k8s.io/v1beta1
kind: MutatingWebhookConfiguration
metadata:
  name: linkerd-{{ .Namespace }}-proxy-injector-webhook-config
  labels:
    {{ .ControllerComponentLabel }}: proxy-injector
webhooks:
- name: linkerd-proxy-injector.linkerd.io
  namespaceSelector:
    matchExpressions:
    - key: {{ .LinkerdNamespaceLabel }}
      operator: DoesNotExist
  clientConfig:
    service:
      name: linkerd-proxy-injector
      namespace: {{ .Namespace }}
      path: "/"
    caBundle: {{ b64enc .ProxyInjector.CrtPEM }}
  failurePolicy: Fail
  rules:
  - operations: [ "CREATE" , "UPDATE" ]
    apiGroups: [""]
    apiVersions: ["v1"]
    resources: ["pods"]
{{end -}}