flink-kubernetes-operator/helm/flink-kubernetes-operator/templates/rbac/cluster_role.yaml at 75f5ef8a4b33257ad4d61ef8816a46cb8b5e9e76 · apache/flink-kubernetes-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
{{- /*
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/ -}}

{{- if and .Values.rbac.create .Values.rbac.operatorRole.create }}
{{- if not .Values.watchNamespaces }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: {{ include "flink-operator.roleName" $ }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "flink-operator.labels" . | nindent 4 }}
{{- template "flink-operator.rbacRules" $ }}
{{- end }}
{{- end }}

{{- /*
create user-facing role, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles for more information

view need permission of object and object/status with verbs [get, list, watch]
edit need permission of object with verbs [create, update, delete, patch, deletecollection]
refer https://github.com/kubernetes/kubernetes/blob/release-1.34/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go#L111-L186
*/ -}}
{{- if and .Values.rbac.create .Values.rbac.userFacingRole.create }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flink-operator-viewer-role
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - flink.apache.org
    resources:
      - flinkdeployments
      - flinkdeployments/status
      - flinksessionjobs
      - flinksessionjobs/status
      - flinkstatesnapshots
      - flinkstatesnapshots/status
      - flinkbluegreendeployments
      - flinkbluegreendeployments/status
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: flink-operator-editor-role
  labels:
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
  - apiGroups:
      - flink.apache.org
    resources:
      - flinkdeployments
      - flinksessionjobs
      - flinkstatesnapshots
      - flinkbluegreendeployments
    verbs:
      - create
      - update
      - delete
      - patch
      - deletecollection
{{- end }}