--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "nuclei-operator.fullname" . }}-manager-role labels: {{- include "nuclei-operator.labels" . | nindent 4 }} rules: - apiGroups: - batch resources: - jobs verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - pods verbs: - get - list - watch - apiGroups: - "" resources: - pods/log verbs: - get - apiGroups: - networking.istio.io resources: - virtualservices verbs: - get - list - watch - apiGroups: - networking.istio.io resources: - virtualservices/status verbs: - get - apiGroups: - networking.k8s.io resources: - ingresses verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses/status verbs: - get - apiGroups: - nuclei.homelab.mortenolsen.pro resources: - nucleiscans verbs: - create - delete - get - list - patch - update - watch - apiGroups: - nuclei.homelab.mortenolsen.pro resources: - nucleiscans/finalizers verbs: - update - apiGroups: - nuclei.homelab.mortenolsen.pro resources: - nucleiscans/status verbs: - get - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "nuclei-operator.fullname" . }}-manager-rolebinding labels: {{- include "nuclei-operator.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "nuclei-operator.fullname" . }}-manager-role subjects: - kind: ServiceAccount name: {{ include "nuclei-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- # Leader election role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "nuclei-operator.fullname" . }}-leader-election-role namespace: {{ .Release.Namespace }} labels: {{- include "nuclei-operator.labels" . | nindent 4 }} rules: - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - events verbs: - create - patch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "nuclei-operator.fullname" . }}-leader-election-rolebinding namespace: {{ .Release.Namespace }} labels: {{- include "nuclei-operator.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: {{ include "nuclei-operator.fullname" . }}-leader-election-role subjects: - kind: ServiceAccount name: {{ include "nuclei-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- if .Values.metrics.enabled }} --- # Metrics auth role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "nuclei-operator.fullname" . }}-metrics-auth-role labels: {{- include "nuclei-operator.labels" . | nindent 4 }} rules: - apiGroups: - authentication.k8s.io resources: - tokenreviews verbs: - create - apiGroups: - authorization.k8s.io resources: - subjectaccessreviews verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "nuclei-operator.fullname" . }}-metrics-auth-rolebinding labels: {{- include "nuclei-operator.labels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ include "nuclei-operator.fullname" . }}-metrics-auth-role subjects: - kind: ServiceAccount name: {{ include "nuclei-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} --- # Metrics reader role apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "nuclei-operator.fullname" . }}-metrics-reader labels: {{- include "nuclei-operator.labels" . | nindent 4 }} rules: - nonResourceURLs: - /metrics verbs: - get {{- end }}