diff --git a/charts/gateway-helm/templates/k8s-roles-extension.yaml b/charts/gateway-helm/templates/k8s-roles-extension.yaml new file mode 100644 index 00000000000..cc79f58d5e3 --- /dev/null +++ b/charts/gateway-helm/templates/k8s-roles-extension.yaml @@ -0,0 +1,38 @@ +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + {{- include "eg.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + {{- include "eg.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + {{- include "eg.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bd..2a0ee479691 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,6 +10,7 @@ security updates: | # New features or capabilities added in this release. new features: | + The Envoy Gateway Helm chart installs roles that grant the standard Kubernetes "admin", "edit", and "view" roles access to Gateway API and Envoy-Gateway resources. Add a new feature here # Fixes for bugs identified in previous versions. diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index f0c1e0d1309..ea99eb9debb 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index ab0c09e3ed3..dddd7e0aa36 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -187,6 +187,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 655c1b7fbeb..fdb54e1a8ef 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 879ca6a2351..d49cfd4f81c 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 28eba2f209e..171d9b5e785 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 28375ac5bf0..7d62891993e 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index e401a1062ee..500bcb526e1 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -174,6 +174,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 14129b666b6..42d22f8cb4b 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -176,6 +176,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 64676e18497..3f4231f703f 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding