keda-manifests/kube-system/rbac/operator-cluster-role.yaml at main · utilitywarehouse/keda-manifests · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# We did the following changes to the default cluster role:
#  - removed the access to apiregistration.k8s.io/apiservices and admissionregistration.k8s.io/validatingwebhookconfigurations as those are needed for updating the cabundle when keda is responsible for managing the TLS assets. In our case we're using our own cert manager to do this.
#  - removed the global access to secrets
#  - removed the generic get from all resources
#  - added access to subjectaccessreviews as seems the metrics API server needs it.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    app.kubernetes.io/name: keda-operator
    app.kubernetes.io/part-of: keda-operator
  name: keda-operator
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - configmaps/status
      - external
      - pods
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
  - apiGroups:
      - ""
    resources:
      - limitranges
      - serviceaccounts
    verbs:
      - list
      - watch
  - apiGroups:
      - '*'
    resources:
      - '*/scale'
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - apps
    resources:
      - deployments
      - statefulsets
    verbs:
      - list
      - watch

  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - eventing.keda.sh
    resources:
      - cloudeventsources
      - cloudeventsources/status
      - clustercloudeventsources
      - clustercloudeventsources/status
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - keda.sh
    resources:
      - clustertriggerauthentications
      - clustertriggerauthentications/status
      - scaledjobs
      - scaledjobs/finalizers
      - scaledjobs/status
      - scaledobjects
      - scaledobjects/finalizers
      - scaledobjects/status
      - triggerauthentications
      - triggerauthentications/status
    verbs:
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
      - get
      - list
      - patch
      - update
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  labels:
    app.kubernetes.io/name: keda-operator
    app.kubernetes.io/part-of: keda-operator
  name: keda-operator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: keda-operator
subjects:
  - kind: ServiceAccount
    name: keda-operator
    # Running the operator from the dev-enablement namespace
    namespace: dev-enablement