kubernetes/ansible/rbac.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: dch-webhooks
rules:
  - apiGroups:
    - batch
    resources:
    - jobs
    verbs:
    - create

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dch-webhooks
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dch-webhooks
subjects:
- kind: ServiceAccount
  name: dch-webhooks
  namespace: default

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: host-provisioner
  labels:
    app.kubernetes.io/name: host-provisioner
    app.kubernetes.io/component: host-provisioner

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: host-provisioner
  namespace: kube-public
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to access the _cluster-info_ ConfigMap,
      which it uses to get the connection details for the Kubernetes API
      server, including the issuing CA certificate, to pass to `kubeadm
      join` on a new worker node.
rules:
- apiGroups:
  - ''
  resources:
  - configmaps
  verbs:
  - get
  resourceNames:
  - cluster-info
  - kube-root-ca.crt

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: host-provisioner
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to manipulate labels, taints, etc. on
      nodes it adds to the cluster.
rules:
- apiGroups:
  - ''
  resources:
  - nodes
  verbs:
  - get
  - patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: host-provisioner
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: host-provisioner
subjects:
- kind: ServiceAccount
  name: host-provisioner

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: host-provisioner
  namespace: kube-system
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to create bootstrap tokens in order to
      add new nodes to the Kubernetes cluster.
rules:
- apiGroups:
  - ''
  resources:
  - secrets
  verbs:
  - create
  - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: host-provisioner
  namespace: kube-public
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
subjects:
- kind: ServiceAccount
  name: host-provisioner

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: host-provisioner
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
subjects:
- kind: ServiceAccount
  name: host-provisioner

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: host-provisioner
  namespace: victoria-metrics
  annotations:
    kubernetes.io/description: >-
      Allows the host-provisioner to update the scrape-collectd
      ConfigMap when adding new hosts.
rules:
- apiGroups:
  - ''
  resources:
  - configmaps
  verbs:
  - patch
  - get
  resourceNames:
  - scrape-collectd

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: host-provisioner
  namespace: victoria-metrics
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: host-provisioner
subjects:
- kind: ServiceAccount
  name: host-provisioner