tailscale/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml

# Copyright (c) Tailscale Inc & AUTHORS
# SPDX-License-Identifier: BSD-3-Clause

apiVersion: v1
kind: ServiceAccount
metadata:
  name: operator
  namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: tailscale-operator
rules:
- apiGroups: [""]
  resources: ["events", "services", "services/status"]
  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingresses", "ingresses/status"]
  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingressclasses"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["tailscale.com"]
  resources: ["connectors", "connectors/status", "proxyclasses", "proxyclasses/status"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: ["tailscale.com"]
  resources: ["dnsconfigs", "dnsconfigs/status"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: ["tailscale.com"]
  resources: ["recorders", "recorders/status"]
  verbs: ["get", "list", "watch", "update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tailscale-operator
subjects:
- kind: ServiceAccount
  name: operator
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: ClusterRole
  name: tailscale-operator
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: operator
  namespace: {{ .Release.Namespace }}
rules:
- apiGroups: [""]
  resources: ["secrets", "serviceaccounts", "configmaps"]
  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
- apiGroups: ["apps"]
  resources: ["statefulsets", "deployments"]
  verbs: ["create","delete","deletecollection","get","list","patch","update","watch"]
- apiGroups: ["discovery.k8s.io"]
  resources: ["endpointslices"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["get", "create", "patch", "update", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: operator
  namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
  name: operator
  namespace: {{ .Release.Namespace }}
roleRef:
  kind: Role
  name: operator
  apiGroup: rbac.authorization.k8s.io