External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-06-06 15:36:15 -02:30
Code Issues Packages Projects Releases Wiki Activity
Files
d10a2cd4c62f85961ffe65550526b7fdf28b2ca4
kubespray/roles/network_plugin/cilium/templates/cilium/cr.yml.j2
logicsys b8541962f3 Partial Cilium 1.16+ Support & Add vars for configuring cilium IP load balancer pools and bgp v1 & v2 apis (#11620) 
* Add vars for configuring cilium IP load balancer pools and bgp peer policies

* Cilium 1.16+ Support - Add vars for configuring cilium bgpv2 api & handle cilium_kube_proxy_replacement unsupported values
2024-11-19 02:48:53 +00:00

169 lines
3.3 KiB
Django/Jinja
Raw Blame History

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- pods
- endpoints
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
{% if cilium_version | regex_replace('v') is version('1.12', '<') %}
- apiGroups:
- ""
resources:
- pods
- pods/finalizers
verbs:
- get
- list
- watch
- update
- delete
- apiGroups:
- ""
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- update
{% endif %}
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
# Deprecated for removal in v1.10
- create
- list
- watch
- update
# This is used when validating policies in preflight. This will need to stay
# until we figure out how to avoid "get" inside the preflight, and then
# should be removed ideally.
- get
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints
- ciliumendpoints/status
- ciliumnodes
- ciliumnodes/status
- ciliumidentities
- ciliumlocalredirectpolicies
- ciliumlocalredirectpolicies/status
- ciliumegressnatpolicies
{% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
- ciliumendpointslices
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- ciliumbgploadbalancerippools
- ciliumbgppeeringpolicies
{% if cilium_version | regex_replace('v') is version('1.13', '>=') %}
- ciliumloadbalancerippools
{% endif %}
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.11.5', '<') %}
- ciliumnetworkpolicies/finalizers
- ciliumclusterwidenetworkpolicies/finalizers
- ciliumendpoints/finalizers
- ciliumnodes/finalizers
- ciliumidentities/finalizers
- ciliumlocalredirectpolicies/finalizers
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
- ciliuml2announcementpolicies/status
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
- ciliumbgpnodeconfigs
- ciliumbgpnodeconfigs/status
- ciliumbgpadvertisements
- ciliumbgppeerconfigs
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.16', '>=') %}
- ciliumbgpclusterconfigs
{% endif %}
verbs:
- '*'
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- apiGroups:
- cilium.io
resources:
- ciliumclusterwideenvoyconfigs
- ciliumenvoyconfigs
- ciliumegressgatewaypolicies
verbs:
- list
- watch
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
- apiGroups:
- cilium.io
resources:
- ciliumcidrgroups
- ciliuml2announcementpolicies
- ciliumpodippools
- ciliumloadbalancerippools
- ciliuml2announcementpolicies/status
verbs:
- list
- watch
{% if cilium_version %}
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
- list
- delete
{% endif %}
{% endif %}
Reference in New Issue View Git Blame Copy Permalink