129 lines
2.9 KiB
YAML
129 lines
2.9 KiB
YAML
|
# source:
|
||
|
|
# https://github.com/nats-io/nats-operator/releases/latest/download/00-prereqs.yaml
|
||
|
|
---
|
||
|
|
apiVersion: v1
|
||
|
|
kind: ServiceAccount
|
||
|
|
metadata:
|
||
|
|
name: nats-operator
|
||
|
|
# Change to the name of the namespace where to install NATS Operator.
|
||
|
|
# Alternatively, change to "nats-io" to perform a cluster-scoped deployment in supported versions.
|
||
|
|
namespace: default
|
||
|
|
|
||
|
|
---
|
||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
|
kind: ClusterRoleBinding
|
||
|
|
metadata:
|
||
|
|
name: nats-operator-binding
|
||
|
|
roleRef:
|
||
|
|
apiGroup: rbac.authorization.k8s.io
|
||
|
|
kind: ClusterRole
|
||
|
|
name: nats-operator
|
||
|
|
subjects:
|
||
|
|
- kind: ServiceAccount
|
||
|
|
name: nats-operator
|
||
|
|
# Change to the name of the namespace where to install NATS Operator.
|
||
|
|
# Alternatively, change to "nats-io" to perform a cluster-scoped deployment in supported versions.
|
||
|
|
namespace: default
|
||
|
|
|
||
|
|
# NOTE: When performing multiple namespace-scoped installations, all
|
||
|
|
# "nats-operator" service accounts (across the different namespaces)
|
||
|
|
# MUST be added to this binding.
|
||
|
|
#- kind: ServiceAccount
|
||
|
|
# name: nats-operator
|
||
|
|
# namespace: nats-io
|
||
|
|
#- kind: ServiceAccount
|
||
|
|
# name: nats-operator
|
||
|
|
# namespace: namespace-2
|
||
|
|
#(...)
|
||
|
|
|
||
|
|
---
|
||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
|
kind: ClusterRole
|
||
|
|
metadata:
|
||
|
|
name: nats-operator
|
||
|
|
rules:
|
||
|
|
# Allow creating CRDs
|
||
|
|
- apiGroups:
|
||
|
|
- apiextensions.k8s.io
|
||
|
|
resources:
|
||
|
|
- customresourcedefinitions
|
||
|
|
verbs: ["get", "list", "create", "update", "watch"]
|
||
|
|
|
||
|
|
# Allow all actions on NATS Operator manager CRDs
|
||
|
|
- apiGroups:
|
||
|
|
- nats.io
|
||
|
|
resources:
|
||
|
|
- natsclusters
|
||
|
|
- natsserviceroles
|
||
|
|
verbs: ["*"]
|
||
|
|
|
||
|
|
# Allowed actions on Pods
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources:
|
||
|
|
- pods
|
||
|
|
verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
|
||
|
|
|
||
|
|
# Allowed actions on Services
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources:
|
||
|
|
- services
|
||
|
|
verbs: ["create", "watch", "get", "patch", "update", "delete", "list"]
|
||
|
|
|
||
|
|
# Allowed actions on Secrets
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources:
|
||
|
|
- secrets
|
||
|
|
verbs: ["create", "watch", "get", "update", "delete", "list"]
|
||
|
|
|
||
|
|
# Allow all actions on some special subresources
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources:
|
||
|
|
- pods/exec
|
||
|
|
- pods/log
|
||
|
|
- serviceaccounts/token
|
||
|
|
- events
|
||
|
|
verbs: ["*"]
|
||
|
|
|
||
|
|
# Allow listing Namespaces and ServiceAccounts
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources:
|
||
|
|
- namespaces
|
||
|
|
- serviceaccounts
|
||
|
|
verbs: ["list", "get", "watch"]
|
||
|
|
|
||
|
|
# Allow actions on Endpoints
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources:
|
||
|
|
- endpoints
|
||
|
|
verbs: ["create", "watch", "get", "update", "delete", "list"]
|
||
|
|
|
||
|
|
---
|
||
|
|
apiVersion: v1
|
||
|
|
kind: ServiceAccount
|
||
|
|
metadata:
|
||
|
|
name: nats-server
|
||
|
|
namespace: default
|
||
|
|
---
|
||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
|
kind: ClusterRole
|
||
|
|
metadata:
|
||
|
|
name: nats-server
|
||
|
|
rules:
|
||
|
|
- apiGroups: [""]
|
||
|
|
resources:
|
||
|
|
- nodes
|
||
|
|
verbs: ["get"]
|
||
|
|
---
|
||
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
||
|
|
kind: ClusterRoleBinding
|
||
|
|
metadata:
|
||
|
|
name: nats-server-binding
|
||
|
|
roleRef:
|
||
|
|
apiGroup: rbac.authorization.k8s.io
|
||
|
|
kind: ClusterRole
|
||
|
|
name: nats-server
|
||
|
|
subjects:
|
||
|
|
- kind: ServiceAccount
|
||
|
|
name: nats-server
|
||
|
|
namespace: default
|