From 8f6f9958ff12d21aa296c217eec90017c0a64f19 Mon Sep 17 00:00:00 2001 From: Evan Anderson Date: Fri, 25 Oct 2024 10:41:36 -0700 Subject: [PATCH 1/3] Add user-facing role definitions for Envoy Gateway and Gateway API Signed-off-by: Evan Anderson --- .../templates/k8s-roles-extension.yaml | 37 +++++++++++++++++++ release-notes/current.yaml | 1 + 2 files changed, 38 insertions(+) create mode 100644 charts/gateway-helm/templates/k8s-roles-extension.yaml diff --git a/charts/gateway-helm/templates/k8s-roles-extension.yaml b/charts/gateway-helm/templates/k8s-roles-extension.yaml new file mode 100644 index 00000000000..abc7ed0ac32 --- /dev/null +++ b/charts/gateway-helm/templates/k8s-roles-extension.yaml @@ -0,0 +1,37 @@ +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + {{- include "eg.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + {{- include "eg.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete"] +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + {{- include "eg.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] \ No newline at end of file diff --git a/release-notes/current.yaml b/release-notes/current.yaml index bfc711148bd..2a0ee479691 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -10,6 +10,7 @@ security updates: | # New features or capabilities added in this release. new features: | + The Envoy Gateway Helm chart installs roles that grant the standard Kubernetes "admin", "edit", and "view" roles access to Gateway API and Envoy-Gateway resources. Add a new feature here # Fixes for bugs identified in previous versions. From d4c4c3f8b91150702a5d0680d153f7f324209fc1 Mon Sep 17 00:00:00 2001 From: Evan Anderson Date: Tue, 29 Oct 2024 12:00:48 -0700 Subject: [PATCH 2/3] Address feedbackfrom zhaohuabing Signed-off-by: Evan Anderson --- charts/gateway-helm/templates/k8s-roles-extension.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/charts/gateway-helm/templates/k8s-roles-extension.yaml b/charts/gateway-helm/templates/k8s-roles-extension.yaml index abc7ed0ac32..cc79f58d5e3 100644 --- a/charts/gateway-helm/templates/k8s-roles-extension.yaml +++ b/charts/gateway-helm/templates/k8s-roles-extension.yaml @@ -22,7 +22,7 @@ metadata: rules: - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] resources: ["*"] - verbs: ["create", "update", "patch", "delete"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 @@ -31,6 +31,7 @@ metadata: labels: {{- include "eg.labels" . | nindent 4 }} rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" rules: - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] resources: ["*"] From 5468f84627b52e9c88621f316560d0c82fd70b30 Mon Sep 17 00:00:00 2001 From: Evan Anderson Date: Tue, 29 Oct 2024 12:01:12 -0700 Subject: [PATCH 3/3] Include helm chart test output changes Signed-off-by: Evan Anderson --- .../certjen-custom-scheduling.out.yaml | 54 +++++++++++++++++++ .../control-plane-with-pdb.out.yaml | 54 +++++++++++++++++++ .../helm/gateway-helm/default-config.out.yaml | 54 +++++++++++++++++++ .../deployment-custom-topology.out.yaml | 54 +++++++++++++++++++ .../deployment-images-config.out.yaml | 54 +++++++++++++++++++ .../deployment-priorityclass.out.yaml | 54 +++++++++++++++++++ .../envoy-gateway-config.out.yaml | 54 +++++++++++++++++++ .../global-images-config.out.yaml | 54 +++++++++++++++++++ .../gateway-helm/service-annotations.out.yaml | 54 +++++++++++++++++++ 9 files changed, 486 insertions(+) diff --git a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml index f0c1e0d1309..ea99eb9debb 100644 --- a/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml +++ b/test/helm/gateway-helm/certjen-custom-scheduling.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml index ab0c09e3ed3..dddd7e0aa36 100644 --- a/test/helm/gateway-helm/control-plane-with-pdb.out.yaml +++ b/test/helm/gateway-helm/control-plane-with-pdb.out.yaml @@ -187,6 +187,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/default-config.out.yaml b/test/helm/gateway-helm/default-config.out.yaml index 655c1b7fbeb..fdb54e1a8ef 100644 --- a/test/helm/gateway-helm/default-config.out.yaml +++ b/test/helm/gateway-helm/default-config.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/deployment-custom-topology.out.yaml b/test/helm/gateway-helm/deployment-custom-topology.out.yaml index 879ca6a2351..d49cfd4f81c 100644 --- a/test/helm/gateway-helm/deployment-custom-topology.out.yaml +++ b/test/helm/gateway-helm/deployment-custom-topology.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/deployment-images-config.out.yaml b/test/helm/gateway-helm/deployment-images-config.out.yaml index 28eba2f209e..171d9b5e785 100644 --- a/test/helm/gateway-helm/deployment-images-config.out.yaml +++ b/test/helm/gateway-helm/deployment-images-config.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/deployment-priorityclass.out.yaml b/test/helm/gateway-helm/deployment-priorityclass.out.yaml index 28375ac5bf0..7d62891993e 100644 --- a/test/helm/gateway-helm/deployment-priorityclass.out.yaml +++ b/test/helm/gateway-helm/deployment-priorityclass.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/envoy-gateway-config.out.yaml b/test/helm/gateway-helm/envoy-gateway-config.out.yaml index e401a1062ee..500bcb526e1 100644 --- a/test/helm/gateway-helm/envoy-gateway-config.out.yaml +++ b/test/helm/gateway-helm/envoy-gateway-config.out.yaml @@ -174,6 +174,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/global-images-config.out.yaml b/test/helm/gateway-helm/global-images-config.out.yaml index 14129b666b6..42d22f8cb4b 100644 --- a/test/helm/gateway-helm/global-images-config.out.yaml +++ b/test/helm/gateway-helm/global-images-config.out.yaml @@ -176,6 +176,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/test/helm/gateway-helm/service-annotations.out.yaml b/test/helm/gateway-helm/service-annotations.out.yaml index 64676e18497..3f4231f703f 100644 --- a/test/helm/gateway-helm/service-annotations.out.yaml +++ b/test/helm/gateway-helm/service-annotations.out.yaml @@ -172,6 +172,60 @@ rules: verbs: - update --- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +# These roles grant the standard Kubernetes "admin", "edit", and "view" +# roles access to Gateway API and Envoy-Gateway resources. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-admin + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["*"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-edit + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["create", "update", "patch", "delete", "deletecollection"] +--- +# Source: gateway-helm/templates/k8s-roles-extension.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: envoy-gateway-namespaced-view + labels: + helm.sh/chart: gateway-helm-v0.0.0-latest + app.kubernetes.io/name: gateway-helm + app.kubernetes.io/instance: gateway-helm + app.kubernetes.io/version: "latest" + app.kubernetes.io/managed-by: Helm + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: ["gateway.networking.k8s.io", "gateway.envoyproxy.io"] + resources: ["*"] + verbs: ["get", "list", "watch"] +--- # Source: gateway-helm/templates/envoy-gateway-rbac.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding