# # Copyright The CloudNativePG Contributors # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # {{- if .Values.serviceAccount.create }} --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "cloudnative-pg.serviceAccountName" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} {{- end }} {{- if .Values.rbac.create }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "cloudnative-pg.fullname" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} rules: - apiGroups: - "" resources: - configmaps verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - configmaps/status verbs: - get - patch - update - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - create - delete - get - list - patch - watch - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - watch - apiGroups: - "" resources: - pods/exec verbs: - create - delete - get - list - patch - watch - apiGroups: - "" resources: - pods/status verbs: - get - apiGroups: - "" resources: - secrets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - secrets/status verbs: - get - patch - update - apiGroups: - "" resources: - serviceaccounts verbs: - create - get - list - patch - update - watch - apiGroups: - "" resources: - services verbs: - create - delete - get - list - patch - update - watch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - get - patch - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations verbs: - get - patch - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - patch - update - watch - apiGroups: - batch resources: - jobs verbs: - create - delete - get - list - patch - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - apiGroups: - monitoring.coreos.com resources: - podmonitors verbs: - create - delete - get - list - patch - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.cnpg.io resources: - backups verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.cnpg.io resources: - backups/status verbs: - get - patch - update - apiGroups: - postgresql.cnpg.io resources: - clusterimagecatalogs verbs: - get - list - watch - apiGroups: - postgresql.cnpg.io resources: - clusters verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.cnpg.io resources: - clusters/finalizers verbs: - update - apiGroups: - postgresql.cnpg.io resources: - clusters/status verbs: - get - patch - update - watch - apiGroups: - postgresql.cnpg.io resources: - imagecatalogs verbs: - get - list - watch - apiGroups: - postgresql.cnpg.io resources: - poolers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.cnpg.io resources: - poolers/finalizers verbs: - update - apiGroups: - postgresql.cnpg.io resources: - poolers/status verbs: - get - patch - update - watch - apiGroups: - postgresql.cnpg.io resources: - scheduledbackups verbs: - create - delete - get - list - patch - update - watch - apiGroups: - postgresql.cnpg.io resources: - scheduledbackups/status verbs: - get - patch - update - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - create - get - list - patch - update - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - create - get - list - patch - update - watch - apiGroups: - snapshot.storage.k8s.io resources: - volumesnapshots verbs: - create - get - list - patch - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "cloudnative-pg.fullname" . }} labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- with .Values.commonAnnotations.annotations }} annotations: {{- toYaml . | nindent 4 }} {{- end }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "cloudnative-pg.fullname" . }} subjects: - kind: ServiceAccount name: {{ include "cloudnative-pg.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "cloudnative-pg.fullname" . }}-view labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- if .Values.rbac.aggregateClusterRoles }} rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" {{- end }} rules: - apiGroups: - postgresql.cnpg.io resources: - backups - clusters - poolers - scheduledbackups verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "cloudnative-pg.fullname" . }}-edit labels: {{- include "cloudnative-pg.labels" . | nindent 4 }} {{- if .Values.rbac.aggregateClusterRoles }} rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" {{- end }} rules: - apiGroups: - postgresql.cnpg.io resources: - backups - clusters - poolers - scheduledbackups verbs: - create - delete - deletecollection - patch - update --- {{- end }}