3e3dadb8b7
Azure does not currently suport Calico networking. As a workaround, this patch set includes CAPZ Calico manifests that uses VXLAN, instead. The CAPZ Calico manifest are located under manifest/function/cni/calico-capz. Change-Id: Iadb2d5e10131e6a2df8cef49e2ec189ab948eeb9
63 lines
1.3 KiB
YAML
63 lines
1.3 KiB
YAML
---
|
|
# Source: calico/templates/rbac.yaml
|
|
|
|
# Include a clusterrole for the kube-controllers component,
|
|
# and bind it to the calico-kube-controllers serviceaccount.
|
|
kind: ClusterRole
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: calico-kube-controllers
|
|
rules:
|
|
# Nodes are watched to monitor for deletions.
|
|
- apiGroups: [""]
|
|
resources:
|
|
- nodes
|
|
verbs:
|
|
- watch
|
|
- list
|
|
- get
|
|
# Pods are queried to check for existence.
|
|
- apiGroups: [""]
|
|
resources:
|
|
- pods
|
|
verbs:
|
|
- get
|
|
# IPAM resources are manipulated when nodes are deleted.
|
|
- apiGroups: ["crd.projectcalico.org"]
|
|
resources:
|
|
- ippools
|
|
verbs:
|
|
- list
|
|
- apiGroups: ["crd.projectcalico.org"]
|
|
resources:
|
|
- blockaffinities
|
|
- ipamblocks
|
|
- ipamhandles
|
|
verbs:
|
|
- get
|
|
- list
|
|
- create
|
|
- update
|
|
- delete
|
|
# Needs access to update clusterinformations.
|
|
- apiGroups: ["crd.projectcalico.org"]
|
|
resources:
|
|
- clusterinformations
|
|
verbs:
|
|
- get
|
|
- create
|
|
- update
|
|
---
|
|
kind: ClusterRoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: calico-kube-controllers
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: calico-kube-controllers
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: calico-kube-controllers
|
|
namespace: kube-system
|