apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-cainjector labels: app: cainjector rules: - apiGroups: ["cert-manager.io"] resources: ["certificates"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["get", "create", "update", "patch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["get", "list", "watch", "update"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch", "update"] --- # Issuer controller role apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-controller-issuers labels: app: cert-manager rules: - apiGroups: ["cert-manager.io"] resources: ["issuers", "issuers/status"] verbs: ["update"] - apiGroups: ["cert-manager.io"] resources: ["issuers"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # ClusterIssuer controller role apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-controller-clusterissuers labels: app: cert-manager rules: - apiGroups: ["cert-manager.io"] resources: ["clusterissuers", "clusterissuers/status"] verbs: ["update"] - apiGroups: ["cert-manager.io"] resources: ["clusterissuers"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # Certificates controller role apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-controller-certificates labels: app: cert-manager rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"] verbs: ["update"] - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"] verbs: ["get", "list", "watch"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["cert-manager.io"] resources: ["certificates/finalizers"] verbs: ["update"] - apiGroups: ["acme.cert-manager.io"] resources: ["orders"] verbs: ["create", "delete", "get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch", "create", "update", "delete"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # Orders controller role apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-controller-orders labels: app: cert-manager rules: - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "orders/status"] verbs: ["update"] - apiGroups: ["acme.cert-manager.io"] resources: ["orders", "challenges"] verbs: ["get", "list", "watch"] - apiGroups: ["cert-manager.io"] resources: ["clusterissuers", "issuers"] verbs: ["get", "list", "watch"] - apiGroups: ["acme.cert-manager.io"] resources: ["challenges"] verbs: ["create", "delete"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["acme.cert-manager.io"] resources: ["orders/finalizers"] verbs: ["update"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # Challenges controller role apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-controller-challenges labels: app: cert-manager rules: # Use to update challenge resource status - apiGroups: ["acme.cert-manager.io"] resources: ["challenges", "challenges/status"] verbs: ["update"] # Used to watch challenge resources - apiGroups: ["acme.cert-manager.io"] resources: ["challenges"] verbs: ["get", "list", "watch"] # Used to watch challenges, issuer and clusterissuer resources - apiGroups: ["cert-manager.io"] resources: ["issuers", "clusterissuers"] verbs: ["get", "list", "watch"] # Need to be able to retrieve ACME account private key to complete challenges - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] # Used to create events - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] # HTTP01 rules - apiGroups: [""] resources: ["pods", "services"] verbs: ["get", "list", "watch", "create", "delete"] - apiGroups: ["extensions", "networking.k8s.io/v1"] resources: ["ingresses"] verbs: ["get", "list", "watch", "create", "delete", "update"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["acme.cert-manager.io"] resources: ["challenges/finalizers"] verbs: ["update"] # DNS01 rules (duplicated above) - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] --- # ingress-shim controller role apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: name: cert-manager-controller-ingress-shim labels: app: cert-manager rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests"] verbs: ["create", "update", "delete"] - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io/v1"] resources: ["ingresses"] verbs: ["get", "list", "watch"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement - apiGroups: ["networking.k8s.io/v1"] resources: ["ingresses/finalizers"] verbs: ["update"] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-webhook:webhook-requester labels: app: webhook rules: - apiGroups: - admission.cert-manager.io resources: - certificates - certificaterequests - issuers - clusterissuers verbs: - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-view labels: app: cert-manager rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "issuers"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cert-manager-edit labels: app: cert-manager rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["cert-manager.io"] resources: ["certificates", "certificaterequests", "issuers"] verbs: ["create", "delete", "deletecollection", "patch", "update"]