summaryrefslogtreecommitdiffstats
path: root/files/origin-components/rbac-template.yaml
diff options
context:
space:
mode:
Diffstat (limited to 'files/origin-components/rbac-template.yaml')
-rw-r--r--files/origin-components/rbac-template.yaml92
1 files changed, 0 insertions, 92 deletions
diff --git a/files/origin-components/rbac-template.yaml b/files/origin-components/rbac-template.yaml
deleted file mode 100644
index 0937a9065..000000000
--- a/files/origin-components/rbac-template.yaml
+++ /dev/null
@@ -1,92 +0,0 @@
-apiVersion: template.openshift.io/v1
-kind: Template
-metadata:
- name: template-service-broker-rbac
-parameters:
-- name: NAMESPACE
- value: openshift-template-service-broker
-- name: KUBE_SYSTEM
- value: kube-system
-objects:
-
-# Grant the service account permission to call the TSB
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: ClusterRoleBinding
- metadata:
- name: templateservicebroker-client
- roleRef:
- kind: ClusterRole
- name: system:openshift:templateservicebroker-client
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: templateservicebroker-client
-
-# to delegate authentication and authorization
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: ClusterRoleBinding
- metadata:
- name: auth-delegator-${NAMESPACE}
- roleRef:
- kind: ClusterRole
- name: system:auth-delegator
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: apiserver
-
-# to have the template service broker powers
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: ClusterRoleBinding
- metadata:
- name: tsb-${NAMESPACE}
- roleRef:
- kind: ClusterRole
- name: system:openshift:controller:template-service-broker
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: apiserver
-
-# to read the config for terminating authentication
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: RoleBinding
- metadata:
- namespace: ${KUBE_SYSTEM}
- name: extension-apiserver-authentication-reader-${NAMESPACE}
- roleRef:
- kind: Role
- name: extension-apiserver-authentication-reader
- subjects:
- - kind: ServiceAccount
- namespace: ${NAMESPACE}
- name: apiserver
-
-# allow the kube service catalog's SA to read the static secret defined
-# above, which will contain the token for the SA that can call the TSB.
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: Role
- metadata:
- name: templateservicebroker-auth-reader
- namespace: ${NAMESPACE}
- rules:
- - apiGroups:
- - ""
- resourceNames:
- - templateservicebroker-client
- resources:
- - secrets
- verbs:
- - get
-- apiVersion: rbac.authorization.k8s.io/v1beta1
- kind: RoleBinding
- metadata:
- namespace: ${NAMESPACE}
- name: templateservicebroker-auth-reader
- roleRef:
- kind: Role
- name: templateservicebroker-auth-reader
- subjects:
- - kind: ServiceAccount
- namespace: kube-service-catalog
- name: service-catalog-controller
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-27 07:56:47 +0000