airship/charts
Code Issues Proposed changes
charts/charts/tekton-pipelines/templates/clusterrole-webhook-cluster-access.yaml
Tin Lam 2f2458c252 chore(img): updates tekton images 
This updates the tekton charts' default image to the latest
version available.

Signed-off-by: Tin Lam <tin@irrational.io>
Change-Id: I71f76bc0448441d22b49b91ca12d0712bb3cd30d
2021-04-04 19:09:10 +00:00

43 lines
2.2 KiB
YAML
Raw Blame History

{{- define "clusterrole-webhook-cluster-access" -}}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tekton-pipelines-webhook-cluster-access
labels: {{- include "helpers.labels.labels" (dict "Global" $ "Component" "webhook" "PartOf" "tekton-pipelines") | nindent 4 }}
rules:
- # The webhook needs to be able to list and update customresourcedefinitions,
# mainly to update the webhook certificates.
apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions", "customresourcedefinitions/status"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
# The webhook performs a reconciliation on these two resources and continuously
# updates configuration.
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
# knative starts informers on these things, which is why we need get, list and watch.
verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
# This mutating webhook is responsible for applying defaults to tekton objects
# as they are received.
resourceNames: ["webhook.pipeline.tekton.dev"]
# When there are changes to the configs or secrets, knative updates the mutatingwebhook config
# with the updated certificates or the refreshed set of rules.
verbs: ["get", "update"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["validatingwebhookconfigurations"]
# validation.webhook.pipeline.tekton.dev performs schema validation when you, for example, create TaskRuns.
# config.webhook.pipeline.tekton.dev validates the logging configuration against knative's logging structure
resourceNames: ["validation.webhook.pipeline.tekton.dev", "config.webhook.pipeline.tekton.dev"]
# When there are changes to the configs or secrets, knative updates the validatingwebhook config
# with the updated certificates or the refreshed set of rules.
verbs: ["get", "update"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
resourceNames: ["tekton-pipelines"]
verbs: ["use"]
...
{{- end -}}
{{- include "helpers.template.overlay" ( dict "Global" $ "template_definition" "clusterrole-webhook-cluster-access" ) }}
View Git Blame Copy Permalink