From 392815d97c470f42273fb3aec0a2105248f9d066 Mon Sep 17 00:00:00 2001
From: onock <69904894+onock@users.noreply.github.com>
Date: Thu, 20 Jan 2022 21:17:09 +0100
Subject: [PATCH] [cert-manager] Fix missing RBAC rules for ClusterRole
cert-manager-cainjector kubernetes-sigs#8104. (#8444)
---
.../cert_manager/templates/cert-manager.yml.j2 | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2 b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
index 62930d5dd..10df7bb1e 100644
--- a/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
+++ b/roles/kubernetes-apps/ingress_controller/cert_manager/templates/cert-manager.yml.j2
@@ -93,6 +93,12 @@ rules:
- apiGroups: ["auditregistration.k8s.io"]
resources: ["auditsinks"]
verbs: ["get", "list", "watch", "update"]
+ - apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["create", "get", "update"]
+ - apiGroups: ["coordination.k8s.io"]
+ resources: ["leases"]
+ verbs: ["create", "get", "update"]
---
# Source: cert-manager/templates/rbac.yaml
# Issuer controller role
@@ -661,7 +667,7 @@ rules:
---
# Source: cert-manager/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
metadata:
name: cert-manager:leaderelection
namespace: {{ cert_manager_leader_election_namespace }}
@@ -739,7 +745,7 @@ subjects:
# grant cert-manager permission to manage the leaderelection configmap in the
# leader election namespace
apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
metadata:
name: cert-manager:leaderelection
namespace: {{ cert_manager_leader_election_namespace }}
@@ -751,7 +757,7 @@ metadata:
app.kubernetes.io/version: "{{ cert_manager_version }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
- kind: Role
+ kind: ClusterRole
name: cert-manager:leaderelection
subjects:
- apiGroup: ""
--
GitLab