diff --git a/config/200-addressable-resolvers-clusterrole.yaml b/config/200-addressable-resolvers-clusterrole.yaml new file mode 100644 index 00000000000..275ee263b38 --- /dev/null +++ b/config/200-addressable-resolvers-clusterrole.yaml @@ -0,0 +1,86 @@ +# Copyright 2019 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Use this aggregated ClusterRole when you need readonly access to "Addressables" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: addressable-resolver +aggregationRule: + clusterRoleSelectors: + - matchLabels: + duck.knative.dev/addressable: "true" +rules: [] # Rules are automatically filled in by the controller manager. + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: serving-addressable-resolver + labels: + duck.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - serving.knative.dev + resources: + - routes + - routes/status + - services + - services/status + verbs: + - get + - list + - watch + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: channel-addressable-resolver + labels: + duck.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - eventing.knative.dev + resources: + - channels + - channels/status + verbs: + - get + - list + - watch + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: broker-addressable-resolver + labels: + duck.knative.dev/addressable: "true" +# Do not use this role directly. These rules will be added to the "addressable-resolver" role. +rules: +- apiGroups: + - eventing.knative.dev + resources: + - brokers + - brokers/status + verbs: + - get + - list + - watch diff --git a/config/200-controller-clusterrole.yaml b/config/200-controller-clusterrole.yaml index 673507abafe..7b0d29bca4c 100644 --- a/config/200-controller-clusterrole.yaml +++ b/config/200-controller-clusterrole.yaml @@ -35,19 +35,6 @@ rules: - "patch" - "watch" - # Knative Services are Addressables that Subscriptions and Triggers often point towards. - - apiGroups: - - "serving.knative.dev" - resources: - - "routes" - - "routes/status" - - "services" - - "services/status" - verbs: - - "get" - - "list" - - "watch" - # Channels and Triggers both manipulate VirtualServices. - apiGroups: - "networking.istio.io" diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index f3f174906da..9dd86d2780b 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -27,6 +27,21 @@ roleRef: --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: eventing-controller-resolver +subjects: + - kind: ServiceAccount + name: eventing-controller + namespace: knative-eventing +roleRef: + kind: ClusterRole + name: addressable-resolver + apiGroup: rbac.authorization.k8s.io + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: