1+ # ! metalk8s_kubernetes
2+
3+ # ServiceAccount for ui-operator
4+ apiVersion: v1
5+ kind: ServiceAccount
6+ metadata:
7+ name: ui-operator
8+ namespace: metalk8s-ui
9+ labels:
10+ app.kubernetes.io/name : ui-operator
11+ app.kubernetes.io/managed-by : salt
12+ app.kubernetes.io/part-of : metalk8s
13+ heritage: metalk8s
14+ automountServiceAccountToken: true
15+
16+ ---
17+ # ClusterRole for ui-operator
18+ apiVersion: rbac.authorization.k8s.io/v1
19+ kind: ClusterRole
20+ metadata:
21+ name: ui-operator
22+ labels:
23+ app.kubernetes.io/name : ui-operator
24+ app.kubernetes.io/managed-by : salt
25+ app.kubernetes.io/part-of : metalk8s
26+ heritage: metalk8s
27+ rules:
28+ # Core API permissions
29+ - apiGroups: [" " ]
30+ resources: [" configmaps" , " secrets" , " services" , " endpoints" ]
31+ verbs: [" get" , " list" , " watch" , " create" , " update" , " patch" , " delete" ]
32+ - apiGroups: [" " ]
33+ resources: [" namespaces" ]
34+ verbs: [" get" , " list" , " watch" ]
35+ - apiGroups: [" " ]
36+ resources: [" events" ]
37+ verbs: [" create" , " patch" ]
38+ # Apps API permissions
39+ - apiGroups: [" apps" ]
40+ resources: [" deployments" , " replicasets" ]
41+ verbs: [" get" , " list" , " watch" , " create" , " update" , " patch" , " delete" ]
42+ # Extensions for UI-specific resources
43+ - apiGroups: [" networking.k8s.io" ]
44+ resources: [" ingresses" ]
45+ verbs: [" get" , " list" , " watch" , " create" , " update" , " patch" , " delete" ]
46+ # Custom resources for UI operator
47+ - apiGroups: [" ui.scality.com" ]
48+ resources: [" *" ]
49+ verbs: [" *" ]
50+ # Leader election
51+ - apiGroups: [" coordination.k8s.io" ]
52+ resources: [" leases" ]
53+ verbs: [" get" , " list" , " watch" , " create" , " update" , " patch" , " delete" ]
54+
55+ ---
56+ # ClusterRoleBinding for ui-operator
57+ apiVersion: rbac.authorization.k8s.io/v1
58+ kind: ClusterRoleBinding
59+ metadata:
60+ name: ui-operator
61+ labels:
62+ app.kubernetes.io/name : ui-operator
63+ app.kubernetes.io/managed-by : salt
64+ app.kubernetes.io/part-of : metalk8s
65+ heritage: metalk8s
66+ roleRef:
67+ apiGroup: rbac.authorization.k8s.io
68+ kind: ClusterRole
69+ name: ui-operator
70+ subjects:
71+ - kind: ServiceAccount
72+ name: ui-operator
73+ namespace: metalk8s-ui
0 commit comments