213 lines
5.2 KiB
YAML
213 lines
5.2 KiB
YAML
{{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}}
|
|
{{- range (ternary (join "," .Values.namespaces | split "," ) (list "") (eq $.Values.rbac.useClusterRole false)) }}
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
{{- if eq $.Values.rbac.useClusterRole false }}
|
|
kind: Role
|
|
{{- else }}
|
|
kind: ClusterRole
|
|
{{- end }}
|
|
metadata:
|
|
labels:
|
|
{{- include "kube-state-metrics.labels" $ | indent 4 }}
|
|
name: {{ template "kube-state-metrics.fullname" $ }}
|
|
{{- if eq $.Values.rbac.useClusterRole false }}
|
|
namespace: {{ . }}
|
|
{{- end }}
|
|
rules:
|
|
{{ if has "certificatesigningrequests" $.Values.collectors }}
|
|
- apiGroups: ["certificates.k8s.io"]
|
|
resources:
|
|
- certificatesigningrequests
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "configmaps" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- configmaps
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "cronjobs" $.Values.collectors }}
|
|
- apiGroups: ["batch"]
|
|
resources:
|
|
- cronjobs
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "daemonsets" $.Values.collectors }}
|
|
- apiGroups: ["extensions", "apps"]
|
|
resources:
|
|
- daemonsets
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "deployments" $.Values.collectors }}
|
|
- apiGroups: ["extensions", "apps"]
|
|
resources:
|
|
- deployments
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "endpoints" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- endpoints
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "endpointslices" $.Values.collectors }}
|
|
- apiGroups: ["discovery.k8s.io"]
|
|
resources:
|
|
- endpointslices
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "horizontalpodautoscalers" $.Values.collectors }}
|
|
- apiGroups: ["autoscaling"]
|
|
resources:
|
|
- horizontalpodautoscalers
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "ingresses" $.Values.collectors }}
|
|
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
resources:
|
|
- ingresses
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "jobs" $.Values.collectors }}
|
|
- apiGroups: ["batch"]
|
|
resources:
|
|
- jobs
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "leases" $.Values.collectors }}
|
|
- apiGroups: ["coordination.k8s.io"]
|
|
resources:
|
|
- leases
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "limitranges" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- limitranges
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "mutatingwebhookconfigurations" $.Values.collectors }}
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources:
|
|
- mutatingwebhookconfigurations
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "namespaces" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- namespaces
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "networkpolicies" $.Values.collectors }}
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources:
|
|
- networkpolicies
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "nodes" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- nodes
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "persistentvolumeclaims" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- persistentvolumeclaims
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "persistentvolumes" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- persistentvolumes
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "poddisruptionbudgets" $.Values.collectors }}
|
|
- apiGroups: ["policy"]
|
|
resources:
|
|
- poddisruptionbudgets
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "pods" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- pods
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "replicasets" $.Values.collectors }}
|
|
- apiGroups: ["extensions", "apps"]
|
|
resources:
|
|
- replicasets
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "replicationcontrollers" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- replicationcontrollers
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "resourcequotas" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- resourcequotas
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "secrets" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- secrets
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "services" $.Values.collectors }}
|
|
- apiGroups: [""]
|
|
resources:
|
|
- services
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "statefulsets" $.Values.collectors }}
|
|
- apiGroups: ["apps"]
|
|
resources:
|
|
- statefulsets
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "storageclasses" $.Values.collectors }}
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources:
|
|
- storageclasses
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "validatingwebhookconfigurations" $.Values.collectors }}
|
|
- apiGroups: ["admissionregistration.k8s.io"]
|
|
resources:
|
|
- validatingwebhookconfigurations
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{ if has "volumeattachments" $.Values.collectors }}
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources:
|
|
- volumeattachments
|
|
verbs: ["list", "watch"]
|
|
{{ end -}}
|
|
{{- if $.Values.kubeRBACProxy.enabled }}
|
|
- apiGroups: ["authentication.k8s.io"]
|
|
resources:
|
|
- tokenreviews
|
|
verbs: ["create"]
|
|
- apiGroups: ["authorization.k8s.io"]
|
|
resources:
|
|
- subjectaccessreviews
|
|
verbs: ["create"]
|
|
{{- end }}
|
|
{{- if $.Values.customResourceState.enabled }}
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs: ["list", "watch"]
|
|
{{- end }}
|
|
{{ if $.Values.rbac.extraRules }}
|
|
{{ toYaml $.Values.rbac.extraRules }}
|
|
{{ end }}
|
|
{{- end -}}
|
|
{{- end -}}
|