apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: kruise-leader-election-role namespace: {{ .Values.installation.namespace }} rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - configmaps/status verbs: - get - update - patch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: kruise-daemon-role rules: - apiGroups: - apps.kruise.io resources: - nodeimages verbs: - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - nodeimages/status verbs: - get - patch - update - apiGroups: - "" resources: - events verbs: - create - update - patch - apiGroups: - apps.kruise.io resources: - containerrecreaterequests verbs: - get - list - watch - apiGroups: - apps.kruise.io resources: - containerrecreaterequests/status verbs: - get - patch - update - apiGroups: - "" resources: - pods verbs: - get - list - patch - update - watch - apiGroups: - "" resources: - pods/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - nodepodprobes verbs: - get - list - watch - apiGroups: - apps.kruise.io resources: - nodepodprobes/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: kruise-manager-role rules: - apiGroups: - "" resources: - secrets verbs: - create - delete - get - list - update - watch - apiGroups: {{ toYaml .Values.installation.roleListGroups | nindent 2}} resources: - '*' verbs: - list - apiGroups: - '*' resources: - '*/scale' verbs: - get - list - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - get - list - patch - update - watch - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - list - patch - update - watch - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - patch - update - watch - apiGroups: - apps resources: - controllerrevisions verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps resources: - deployments/status verbs: - get - patch - update - apiGroups: - apps resources: - replicasets verbs: - get - list - watch - apiGroups: - apps resources: - replicasets/status verbs: - get - apiGroups: - apps resources: - statefulsets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps resources: - statefulsets/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - advancedcronjobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - advancedcronjobs/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - advancedcronjobs/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - broadcastjobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - broadcastjobs/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - broadcastjobs/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - clonesets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - clonesets/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - clonesets/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - containerrecreaterequests verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - containerrecreaterequests/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - containerrecreaterequests/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - daemonsets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - daemonsets/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - daemonsets/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - ephemeraljobs verbs: - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - ephemeraljobs/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - imagelistpulljobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - imagelistpulljobs/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - imagelistpulljobs/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - imagepulljobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - imagepulljobs/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - imagepulljobs/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - nodeimages verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - nodeimages/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - nodeimages/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - nodepodprobes verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - nodepodprobes/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - nodepodprobes/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - persistentpodstates verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - persistentpodstates/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - persistentpodstates/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - podprobemarkers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - podprobemarkers/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - podprobemarkers/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - resourcedistributions verbs: - get - list - watch - apiGroups: - apps.kruise.io resources: - resourcedistributions/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - resourcedistributions/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - sidecarsets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - sidecarsets/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - sidecarsets/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - statefulsets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - statefulsets/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - statefulsets/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - uniteddeployments verbs: - create - delete - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - uniteddeployments/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - uniteddeployments/status verbs: - get - patch - update - apiGroups: - apps.kruise.io resources: - workloadspreads verbs: - get - list - patch - update - watch - apiGroups: - apps.kruise.io resources: - workloadspreads/finalizers verbs: - update - apiGroups: - apps.kruise.io resources: - workloadspreads/status verbs: - get - patch - update - apiGroups: - batch resources: - jobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - batch resources: - jobs/status verbs: - get - patch - update - apiGroups: - "" resources: - configmaps verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - events verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - pods/ephemeralcontainers verbs: - get - patch - update - apiGroups: - "" resources: - pods/status verbs: - get - patch - update - apiGroups: - policy.kruise.io resources: - podunavailablebudgets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - policy.kruise.io resources: - podunavailablebudgets/finalizers verbs: - update - apiGroups: - policy.kruise.io resources: - podunavailablebudgets/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kruise-leader-election-rolebinding namespace: {{ .Values.installation.namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kruise-leader-election-role subjects: - kind: ServiceAccount name: kruise-manager namespace: {{ .Values.installation.namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kruise-manager-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kruise-manager-role subjects: - kind: ServiceAccount name: kruise-manager namespace: {{ .Values.installation.namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: kruise-daemon-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kruise-daemon-role subjects: - kind: ServiceAccount name: kruise-daemon namespace: {{ .Values.installation.namespace }} --- --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: kruise-webhook-role namespace: {{ .Values.installation.namespace }} rules: - apiGroups: - "" resources: - secrets verbs: - create - delete - get - list - patch - update - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kruise-webhook-rolebinding namespace: {{ .Values.installation.namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kruise-webhook-role subjects: - kind: ServiceAccount name: kruise-manager namespace: {{ .Values.installation.namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: null name: kruise-daemon-secret-role namespace: kruise-daemon-config rules: - apiGroups: - "" resources: - secrets verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: kruise-daemon-secret-rolebinding namespace: kruise-daemon-config roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: kruise-daemon-secret-role subjects: - kind: ServiceAccount name: kruise-daemon namespace: {{ .Values.installation.namespace }}