Created
March 15, 2022 17:00
-
-
Save JasonMorgan/e2ef5cbbc8679d39be66bb40f1407810 to your computer and use it in GitHub Desktop.
linkerd permission objects
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| ### | |
| ### Linkerd Namespace | |
| ### | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: linkerd | |
| annotations: | |
| linkerd.io/inject: disabled | |
| labels: | |
| linkerd.io/is-control-plane: "true" | |
| config.linkerd.io/admission-webhooks: disabled | |
| linkerd.io/control-plane-ns: linkerd | |
| --- | |
| ### | |
| ### Identity Controller Service RBAC | |
| ### | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: linkerd-linkerd-identity | |
| labels: | |
| linkerd.io/control-plane-component: identity | |
| linkerd.io/control-plane-ns: linkerd | |
| rules: | |
| - apiGroups: ["authentication.k8s.io"] | |
| resources: ["tokenreviews"] | |
| verbs: ["create"] | |
| - apiGroups: ["apps"] | |
| resources: ["deployments"] | |
| verbs: ["get"] | |
| - apiGroups: [""] | |
| resources: ["events"] | |
| verbs: ["create", "patch"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: linkerd-linkerd-identity | |
| labels: | |
| linkerd.io/control-plane-component: identity | |
| linkerd.io/control-plane-ns: linkerd | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: linkerd-linkerd-identity | |
| subjects: | |
| - kind: ServiceAccount | |
| name: linkerd-identity | |
| namespace: linkerd | |
| --- | |
| kind: ServiceAccount | |
| apiVersion: v1 | |
| metadata: | |
| name: linkerd-identity | |
| namespace: linkerd | |
| labels: | |
| linkerd.io/control-plane-component: identity | |
| linkerd.io/control-plane-ns: linkerd | |
| --- | |
| ### | |
| ### Destination Controller Service | |
| ### | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: linkerd-linkerd-destination | |
| labels: | |
| linkerd.io/control-plane-component: destination | |
| linkerd.io/control-plane-ns: linkerd | |
| rules: | |
| - apiGroups: ["apps"] | |
| resources: ["replicasets"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: ["batch"] | |
| resources: ["jobs"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: [""] | |
| resources: ["pods", "endpoints", "services", "nodes", "namespaces"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: ["linkerd.io"] | |
| resources: ["serviceprofiles"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: ["split.smi-spec.io"] | |
| resources: ["trafficsplits"] | |
| verbs: ["list", "get", "watch"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: linkerd-linkerd-destination | |
| labels: | |
| linkerd.io/control-plane-component: destination | |
| linkerd.io/control-plane-ns: linkerd | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: linkerd-linkerd-destination | |
| subjects: | |
| - kind: ServiceAccount | |
| name: linkerd-destination | |
| namespace: linkerd | |
| --- | |
| kind: ServiceAccount | |
| apiVersion: v1 | |
| metadata: | |
| name: linkerd-destination | |
| namespace: linkerd | |
| labels: | |
| linkerd.io/control-plane-component: destination | |
| linkerd.io/control-plane-ns: linkerd | |
| --- | |
| apiVersion: admissionregistration.k8s.io/v1 | |
| kind: ValidatingWebhookConfiguration | |
| metadata: | |
| name: linkerd-sp-validator-webhook-config | |
| labels: | |
| linkerd.io/control-plane-component: destination | |
| linkerd.io/control-plane-ns: linkerd | |
| webhooks: | |
| - name: linkerd-sp-validator.linkerd.io | |
| namespaceSelector: | |
| matchExpressions: | |
| - key: config.linkerd.io/admission-webhooks | |
| operator: NotIn | |
| values: | |
| - disabled | |
| clientConfig: | |
| service: | |
| name: linkerd-sp-validator | |
| namespace: linkerd | |
| path: "/" | |
| caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURUVENDQWpXZ0F3SUJBZ0lSQUxEVjBvL3dWaDhHcExTQ2NVSUs4TFl3RFFZSktvWklodmNOQVFFTEJRQXcKS3pFcE1DY0dBMVVFQXhNZ2JHbHVhMlZ5WkMxemNDMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13SGhjTgpNakl3TXpFMU1UWTFOakF3V2hjTk1qTXdNekUxTVRZMU5qQXdXakFyTVNrd0p3WURWUVFERXlCc2FXNXJaWEprCkxYTndMWFpoYkdsa1lYUnZjaTVzYVc1clpYSmtMbk4yWXpDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUwwZnlmWFl2RUhsSE4vT3BRV244WW5ySUhHVUd0ZDZmN3JORVhsbXNNMklab0lIRTRjTApqb2VpY2dkek9QSHhBbHF1MVVCdXF6MXY3a0N3NzdTZzJsTSs0THNNbGZrZEZMUVdQM3liK1ljK2lUekpBTVlVClUwV3R6cnpyVXFxb2RoaEFCeUQ4Zk5RWGJJYldlUENZaTJ0ZkdMQ0dWMmhHOCtrUThTSlNxajZTQXJDeXQxSEIKanJtVTFyQUhGM3FibjlUendiZ3BMYjFMOEM0OGtMR2NZc0NpRkQrWlhndmwvaHFTMnQ2WEEwZEJlYUNwOTRWaApMNUNpbmw2a284V2tMMjlGKzQzUUR4dmEzd1dabkVud1B0QjhPY2hHTzRoaXpRQ21oV0o0UGorTTlueGh1ZERWClFCM2lDdnJablZBbXc4bW1WQzg0akRxQWw4RGRuaGJnVVJzQ0F3RUFBYU5zTUdvd0RnWURWUjBQQVFIL0JBUUQKQWdXZ01CMEdBMVVkSlFRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRkJRY0RBakFNQmdOVkhSTUJBZjhFQWpBQQpNQ3NHQTFVZEVRUWtNQ0tDSUd4cGJtdGxjbVF0YzNBdGRtRnNhV1JoZEc5eUxteHBibXRsY21RdWMzWmpNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFCb0JORk5kMk10dkZWQ1MzUFVCckNic2NsczM5dnlPVW13aGdROWRqYUcKNTJtTXhMeTlwZ0p6bnFjUmxqa1ZaYzJWekhaY3JkaGZCUXlDSjRsaTJjTmFLYmFRWlVDNjVqNksraEZZMXNZZgpTazFrNGRZN204RUFKT1RQYTlaNDJmd3A1cWpCeVMrSlk5dDVtNVovU2loNi96ZEpiQThtc1Q1TWpyNVFrQmRkCkJFU1A3VEpuZ2RRQ2h1TlhWSWg5OVIrMG5HUkpFZEtNbDlQc1k4ai95bXVsYlQrMmFLeFk2bzVsNjdVc0JYVEIKa0dNbWt4ZWlVTEY4NU5aZXlXaitiMGJuSE9LUXkrejlmK2NCNmlMVnRFeGw1ZWJyb3RKVkkyak92ZzUrUW4waQpZeFUvdjVqSkxYZnJXYkZzTC93aGZmTTlBZTM5ZmYxcitQZlRKdkJkRFMwawotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t | |
| failurePolicy: Ignore | |
| admissionReviewVersions: ["v1", "v1beta1"] | |
| rules: | |
| - operations: ["CREATE", "UPDATE"] | |
| apiGroups: ["linkerd.io"] | |
| apiVersions: ["v1alpha1", "v1alpha2"] | |
| resources: ["serviceprofiles"] | |
| sideEffects: None | |
| --- | |
| apiVersion: admissionregistration.k8s.io/v1 | |
| kind: ValidatingWebhookConfiguration | |
| metadata: | |
| name: linkerd-policy-validator-webhook-config | |
| labels: | |
| linkerd.io/control-plane-component: destination | |
| linkerd.io/control-plane-ns: linkerd | |
| webhooks: | |
| - name: linkerd-policy-validator.linkerd.io | |
| namespaceSelector: | |
| matchExpressions: | |
| - key: config.linkerd.io/admission-webhooks | |
| operator: NotIn | |
| values: | |
| - disabled | |
| clientConfig: | |
| service: | |
| name: linkerd-policy-validator | |
| namespace: linkerd | |
| path: "/" | |
| caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURXRENDQWtDZ0F3SUJBZ0lRVVEyT21VOEpRM0FackJGTWE1OHM5akFOQmdrcWhraUc5dzBCQVFzRkFEQXYKTVMwd0t3WURWUVFERXlSc2FXNXJaWEprTFhCdmJHbGplUzEyWVd4cFpHRjBiM0l1YkdsdWEyVnlaQzV6ZG1NdwpIaGNOTWpJd016RTFNVFkxTmpBd1doY05Nak13TXpFMU1UWTFOakF3V2pBdk1TMHdLd1lEVlFRREV5UnNhVzVyClpYSmtMWEJ2YkdsamVTMTJZV3hwWkdGMGIzSXViR2x1YTJWeVpDNXpkbU13Z2dFaU1BMEdDU3FHU0liM0RRRUIKQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUN3UFpWdzNTVy8rZ3VQOHJRRHd3djhwSWpCNFlkY1c1TGtzVjRVbVpHNApFKzZvVStWUVVxdkxWa1c4cnVWSTJzQWJIeHV5UEc3MTdUeEU0SnV0aFh5dXhINURXWlVBMnFiYmg4YTVBMVl5Clh5ZHlqRjhTVytFOHNWMkQvVVR2aW5heGtHQjk3L2pkWEwyMjhhMjM2VlNzZ3R1QWtCSHh6NGUxeks4ZmJFbXMKVGVqTWo0TEY1ak5PZFRLa0J2dEx5eGtTbFFMeG1UNXhZVUhWYWN1cWVjQzU0M0ZLM1J1dzV1cWxPVjRGa1NLZgpweXlmNExIVUQrVFo5cUUyc2RxVWUzbDZ0emVqM1d4ZmF1SWtkaUJtWDhxQVEzcEtieGlHUTJHQjFkMW0wSzZjCjRsQW9RZjFyYThyMlBGeWZqNEtKU3hmVlhlcTJTaUY4VG1TWkU1SUI2K3lKQWdNQkFBR2pjREJ1TUE0R0ExVWQKRHdFQi93UUVBd0lGb0RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSEF3SXdEQVlEVlIwVApBUUgvQkFJd0FEQXZCZ05WSFJFRUtEQW1naVJzYVc1clpYSmtMWEJ2YkdsamVTMTJZV3hwWkdGMGIzSXViR2x1CmEyVnlaQzV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGVzZSYlhhSTV4UElhbGwvaUptdXZVSHNKWmEKU1JKNGtuVWRvM09vVG4rZ2NXL0FqUnVJS3YzcE0vQzgrMEV0OEdyWlZaQVo1ZEg2cmQ1T3FRMXlqSk9PeEFKMAo3SHJiYUxYYnJYMUJ4WmN3czhZc0V0WXVPWVZ6TlF0cEFCRTBMaitYd0MxUlE4NWswZjZDclFCblZVaG5ER2dtCmNnSTZrbGdFSHBzTDIvTzdkTHFoQU9OdDJoU3dibVBZNnZXSUhSREhmd0Z6RjIvNDFzc0FzS2VVMTdCWGZzREwKTDU2UzlzZUErRTBvM2F3SUhEdmhVUTUvZUwydHl5a3pNT2h0dVc4bHFseHpzYkxnKzBNQW5QQll3WnBMZVZNZwoza1FiOWliVnF5ckZzV010MzJyWm9rWHJtNmVJSkoxS3FxdnhPQ0NFVjE1Unk4aXl3dkhUcjcrdTVtVT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ== | |
| failurePolicy: Ignore | |
| admissionReviewVersions: ["v1", "v1beta1"] | |
| rules: | |
| - operations: ["CREATE", "UPDATE"] | |
| apiGroups: ["policy.linkerd.io"] | |
| apiVersions: ["v1alpha1", "v1beta1"] | |
| resources: ["servers"] | |
| sideEffects: None | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: linkerd-policy | |
| labels: | |
| app.kubernetes.io/part-of: Linkerd | |
| linkerd.io/control-plane-component: destination | |
| linkerd.io/control-plane-ns: linkerd | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - pods | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| - apiGroups: | |
| - policy.linkerd.io | |
| resources: | |
| - servers | |
| - serverauthorizations | |
| verbs: | |
| - get | |
| - list | |
| - watch | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: linkerd-destination-policy | |
| labels: | |
| app.kubernetes.io/part-of: Linkerd | |
| linkerd.io/control-plane-component: destination | |
| linkerd.io/control-plane-ns: linkerd | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: linkerd-policy | |
| subjects: | |
| - kind: ServiceAccount | |
| name: linkerd-destination | |
| namespace: linkerd | |
| --- | |
| ### | |
| ### Heartbeat RBAC | |
| ### | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: linkerd-heartbeat | |
| namespace: linkerd | |
| labels: | |
| linkerd.io/control-plane-ns: linkerd | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["configmaps"] | |
| verbs: ["get"] | |
| resourceNames: ["linkerd-config"] | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: linkerd-heartbeat | |
| namespace: linkerd | |
| labels: | |
| linkerd.io/control-plane-ns: linkerd | |
| roleRef: | |
| kind: Role | |
| name: linkerd-heartbeat | |
| apiGroup: rbac.authorization.k8s.io | |
| subjects: | |
| - kind: ServiceAccount | |
| name: linkerd-heartbeat | |
| namespace: linkerd | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: linkerd-heartbeat | |
| labels: | |
| linkerd.io/control-plane-ns: linkerd | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["namespaces"] | |
| verbs: ["list"] | |
| - apiGroups: ["linkerd.io"] | |
| resources: ["serviceprofiles"] | |
| verbs: ["list"] | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: linkerd-heartbeat | |
| labels: | |
| linkerd.io/control-plane-ns: linkerd | |
| roleRef: | |
| kind: ClusterRole | |
| name: linkerd-heartbeat | |
| apiGroup: rbac.authorization.k8s.io | |
| subjects: | |
| - kind: ServiceAccount | |
| name: linkerd-heartbeat | |
| namespace: linkerd | |
| --- | |
| kind: ServiceAccount | |
| apiVersion: v1 | |
| metadata: | |
| name: linkerd-heartbeat | |
| namespace: linkerd | |
| labels: | |
| linkerd.io/control-plane-component: heartbeat | |
| linkerd.io/control-plane-ns: linkerd | |
| --- | |
| ### | |
| ### Proxy Injector RBAC | |
| ### | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: linkerd-linkerd-proxy-injector | |
| labels: | |
| linkerd.io/control-plane-component: proxy-injector | |
| linkerd.io/control-plane-ns: linkerd | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["events"] | |
| verbs: ["create", "patch"] | |
| - apiGroups: [""] | |
| resources: ["namespaces", "replicationcontrollers"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: [""] | |
| resources: ["pods"] | |
| verbs: ["list", "watch"] | |
| - apiGroups: ["extensions", "apps"] | |
| resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] | |
| verbs: ["list", "get", "watch"] | |
| - apiGroups: ["extensions", "batch"] | |
| resources: ["cronjobs", "jobs"] | |
| verbs: ["list", "get", "watch"] | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: linkerd-linkerd-proxy-injector | |
| labels: | |
| linkerd.io/control-plane-component: proxy-injector | |
| linkerd.io/control-plane-ns: linkerd | |
| subjects: | |
| - kind: ServiceAccount | |
| name: linkerd-proxy-injector | |
| namespace: linkerd | |
| apiGroup: "" | |
| roleRef: | |
| kind: ClusterRole | |
| name: linkerd-linkerd-proxy-injector | |
| apiGroup: rbac.authorization.k8s.io | |
| --- | |
| kind: ServiceAccount | |
| apiVersion: v1 | |
| metadata: | |
| name: linkerd-proxy-injector | |
| namespace: linkerd | |
| labels: | |
| linkerd.io/control-plane-component: proxy-injector | |
| linkerd.io/control-plane-ns: linkerd | |
| --- | |
| apiVersion: admissionregistration.k8s.io/v1 | |
| kind: MutatingWebhookConfiguration | |
| metadata: | |
| name: linkerd-proxy-injector-webhook-config | |
| labels: | |
| linkerd.io/control-plane-component: proxy-injector | |
| linkerd.io/control-plane-ns: linkerd | |
| webhooks: | |
| - name: linkerd-proxy-injector.linkerd.io | |
| namespaceSelector: | |
| matchExpressions: | |
| - key: config.linkerd.io/admission-webhooks | |
| operator: NotIn | |
| values: | |
| - disabled | |
| clientConfig: | |
| service: | |
| name: linkerd-proxy-injector | |
| namespace: linkerd | |
| path: "/" | |
| caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURVakNDQWpxZ0F3SUJBZ0lRSEt6eUkyYkFadE5QTnNpQnF6dFRzakFOQmdrcWhraUc5dzBCQVFzRkFEQXQKTVNzd0tRWURWUVFERXlKc2FXNXJaWEprTFhCeWIzaDVMV2x1YW1WamRHOXlMbXhwYm10bGNtUXVjM1pqTUI0WApEVEl5TURNeE5URTJOVFl3TUZvWERUSXpNRE14TlRFMk5UWXdNRm93TFRFck1Da0dBMVVFQXhNaWJHbHVhMlZ5ClpDMXdjbTk0ZVMxcGJtcGxZM1J2Y2k1c2FXNXJaWEprTG5OMll6Q0NBU0l3RFFZSktvWklodmNOQVFFQkJRQUQKZ2dFUEFEQ0NBUW9DZ2dFQkFOWFNYZVpWUW1zVTBScXYwcXBVUXpiS2Z0Y2FJYzhwZ2crWG9kVmgzblZHa2J3bgpmWnhDK2h0L0Rmb3RpdHVyWDNNTUtlaGhQeGlvMGI3a0JVVXJoZFYyVFRFaGRucTF6RmFuN0ZTMWhVWlFtN2xVCnFCVmxhM1R0dnkrSW5lTkN5OXMxL0ZiVU4wODJtS0Q3VC9PRzNvRmZ4R0ttOHl2WkZnWUJqZDRjMUM4b0FQaFkKeEpXQ3lmRkU2MzlKSVZZalNiTHpIaW5tMldLQ2U3SzlVc28yem9iWVdRZGQ3ak0wc2R4dmtkb1F3UEs5dktNcQo1dzBzVjA4dkVFczVTVm5jblJaeDViRXRpL2dvU2c3MHVnWHFMZk45d2M2NGdycitGd045L3VSbFEwT21aemJCCjFmYmdzaHBQQ1RvVXRLWDlwbU9XRzRXMnZhK3lmQ01wTWgwNlVmRUNBd0VBQWFOdU1Hd3dEZ1lEVlIwUEFRSC8KQkFRREFnV2dNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUZCUWNEQWpBTUJnTlZIUk1CQWY4RQpBakFBTUMwR0ExVWRFUVFtTUNTQ0lteHBibXRsY21RdGNISnZlSGt0YVc1cVpXTjBiM0l1YkdsdWEyVnlaQzV6CmRtTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBSTVvWWV6eE1pN0d4V1dIVGZKRUxEdlVuZkx1b3pkT0NabUkKRXFLZmJHaWNiY0V2VlA0WlpzbDgybTJETHVOZ1RUSnlWcmd6MjgwaW41ZFgyVW4vaWJuYmJUL3RmY3BuN3o1ZApkMUwxNHIxV1MrZkl4cFA5YU9tV0lZYUZBTFNpRG9hRGV1SXA2K3JTY1ZnTlA1OTVuMjd2T0JiK0JXWG1zWS9wCmdVSFE4MmQ1YnkwNzdIS3JJaklxc2ZoM3N2Tk81U1VXYVo3TWFJZldMVVRhZGdKZGUzZHJJeUFocnpzdlZwL1QKNmV0dWI5Vkx3ZHVWQzJqbW53dlh6eU8wTFMwbE83M2FEeDRUdW40UVNHZWc2NWc4KzdBTjc2NkhCSElWSURrMAo1cUx0RThiaDF1QkFyaWpUN3Z2WFZxV2VzbldxdVZ6SmRxcWdxdU9KWkVHV0NWSVJXczg9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= | |
| failurePolicy: Ignore | |
| admissionReviewVersions: ["v1", "v1beta1"] | |
| rules: | |
| - operations: [ "CREATE" ] | |
| apiGroups: [""] | |
| apiVersions: ["v1"] | |
| resources: ["pods", "services"] | |
| sideEffects: None |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment