apiVersion: v1 kind: Namespace metadata: name: tigera-operator labels: name: tigera-operator pod-security.kubernetes.io/enforce: privileged --- # Source: tigera-operator/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml apiVersion: v1 kind: ServiceAccount metadata: name: tigera-operator namespace: tigera-operator labels: k8s-app: tigera-operator imagePullSecrets: [] --- # Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator-secrets.yaml # Permissions required to manipulate operator secrets for a Calico cluster. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tigera-operator-secrets labels: k8s-app: tigera-operator rules: - apiGroups: - "" resources: - secrets verbs: - create - update - delete --- # Source: tigera-operator/templates/tigera-operator/02-role-tigera-operator.yaml # Permissions required when running the operator for a Calico cluster. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tigera-operator labels: k8s-app: tigera-operator rules: # The tigera/operator installs CustomResourceDefinitions necessary for itself # and Calico more broadly to function. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - get - list - watch - create # We only allow update access to our own CRDs. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - update resourceNames: - apiservers.operator.tigera.io - gatewayapis.operator.tigera.io - imagesets.operator.tigera.io - installations.operator.tigera.io - tigerastatuses.operator.tigera.io - bgpconfigurations.crd.projectcalico.org - bgpfilters.crd.projectcalico.org - bgppeers.crd.projectcalico.org - blockaffinities.crd.projectcalico.org - caliconodestatuses.crd.projectcalico.org - clusterinformations.crd.projectcalico.org - felixconfigurations.crd.projectcalico.org - globalnetworkpolicies.crd.projectcalico.org - stagedglobalnetworkpolicies.crd.projectcalico.org - globalnetworksets.crd.projectcalico.org - hostendpoints.crd.projectcalico.org - ipamblocks.crd.projectcalico.org - ipamconfigs.crd.projectcalico.org - ipamhandles.crd.projectcalico.org - ippools.crd.projectcalico.org - ipreservations.crd.projectcalico.org - kubecontrollersconfigurations.crd.projectcalico.org - networkpolicies.crd.projectcalico.org - stagednetworkpolicies.crd.projectcalico.org - stagedkubernetesnetworkpolicies.crd.projectcalico.org - networksets.crd.projectcalico.org - tiers.crd.projectcalico.org - whiskers.operator.tigera.io - goldmanes.operator.tigera.io - managementclusterconnections.operator.tigera.io # We need update and delete access for ANP/BANP CRDs to set owner refs when assuming control of pre-existing CRDs, for example on OCP. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - update - delete resourceNames: - adminnetworkpolicies.policy.networking.k8s.io - baselineadminnetworkpolicies.policy.networking.k8s.io - apiGroups: - "" resources: - namespaces - pods - podtemplates - services - endpoints - events - configmaps - serviceaccounts verbs: - create - get - list - update - delete - watch - apiGroups: - "" resources: - resourcequotas - secrets verbs: - list - get - watch - apiGroups: - "" resources: - resourcequotas verbs: - create - get - list - update - delete - watch resourceNames: - calico-critical-pods - tigera-critical-pods - apiGroups: - "" resources: - nodes verbs: # Need to update node labels when migrating nodes. - get - patch - list # We need this for Typha autoscaling - watch - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - rolebindings - roles verbs: - create - get - list - update - delete - watch - bind - escalate - apiGroups: - apps resources: - deployments - daemonsets - statefulsets verbs: - create - get - list - patch - update - delete - watch - apiGroups: - apps resourceNames: - tigera-operator resources: - deployments/finalizers verbs: - update # The operator needs read and update permissions on the APIs that it controls. - apiGroups: - operator.tigera.io resources: # Note: any resources used by the operator within an OwnerReference for resources # it creates requires permissions to /finalizers. - apiservers - apiservers/finalizers - apiservers/status - gatewayapis - gatewayapis/finalizers - gatewayapis/status - goldmanes - goldmanes/finalizers - goldmanes/status - imagesets - installations - installations/finalizers - installations/status - managementclusterconnections - managementclusterconnections/finalizers - managementclusterconnections/status - tigerastatuses - tigerastatuses/status - tigerastatuses/finalizers - whiskers - whiskers/finalizers - whiskers/status verbs: - get - list - update - patch - watch # In addition to the above, the operator creates and deletes TigeraStatus resources. - apiGroups: - operator.tigera.io resources: - tigerastatuses verbs: - create - delete # In addition to the above, the operator should have the ability to delete their own resources during uninstallation. - apiGroups: - operator.tigera.io resources: - installations - apiservers - whiskers - goldmanes verbs: - delete - apiGroups: - networking.k8s.io resources: - networkpolicies verbs: - create - update - delete - get - list - watch - apiGroups: - crd.projectcalico.org resources: - felixconfigurations - ippools verbs: - create - patch - list - get - watch - apiGroups: - crd.projectcalico.org resources: - kubecontrollersconfigurations - bgpconfigurations - clusterinformations verbs: - get - list - watch - apiGroups: - projectcalico.org resources: - ippools verbs: - create - update - delete - patch - get - list - watch - apiGroups: - projectcalico.org resources: - ipamconfigurations verbs: - get - list - watch - apiGroups: - scheduling.k8s.io resources: - priorityclasses verbs: - create - get - list - update - delete - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - get - list - update - delete - watch - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - list - watch - create - update - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - delete # Needed for operator lock - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - list - update - delete - watch - apiGroups: - storage.k8s.io resources: - csidrivers verbs: - list - watch - update - get - create - delete # Add the permissions to monitor the status of certificate signing requests when certificate management is enabled. - apiGroups: - certificates.k8s.io resources: - certificatesigningrequests verbs: - list - watch # Add the appropriate pod security policy permissions - apiGroups: - policy resources: - podsecuritypolicies resourceNames: - tigera-operator verbs: - use - apiGroups: - policy resources: - podsecuritypolicies verbs: - get - list - watch - create - update - delete # For tiered network policy actions, tigera-apiserver requires that we authorize the operator for the tier.networkpolicies and tier.globalnetworkpolicies pseudo-kinds. - apiGroups: - projectcalico.org resourceNames: - allow-tigera.* resources: - tier.networkpolicies - tier.globalnetworkpolicies verbs: - list - watch - get - create - update - delete # For tiered network policy actions, tigera-apiserver requires get authorization on the associated tier. - apiGroups: - projectcalico.org resourceNames: - allow-tigera resources: - tiers verbs: - get - delete - update # Separated from the above rule since resourceNames does not support the create verb, and requires a field selector for list/watch verbs. - apiGroups: - projectcalico.org resources: - tiers verbs: - create - list - watch # Additions for Gateway API support. # 1. The operator needs to reconcile gateway.networking.k8s.io and gateway.envoyproxy.io CRDs. - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - update resourceNames: - backendlbpolicies.gateway.networking.k8s.io - backendtlspolicies.gateway.networking.k8s.io - gatewayclasses.gateway.networking.k8s.io - gateways.gateway.networking.k8s.io - grpcroutes.gateway.networking.k8s.io - httproutes.gateway.networking.k8s.io - referencegrants.gateway.networking.k8s.io - tcproutes.gateway.networking.k8s.io - tlsroutes.gateway.networking.k8s.io - udproutes.gateway.networking.k8s.io - backends.gateway.envoyproxy.io - backendtrafficpolicies.gateway.envoyproxy.io - clienttrafficpolicies.gateway.envoyproxy.io - envoyextensionpolicies.gateway.envoyproxy.io - envoypatchpolicies.gateway.envoyproxy.io - envoyproxies.gateway.envoyproxy.io - httproutefilters.gateway.envoyproxy.io - securitypolicies.gateway.envoyproxy.io # 2. GatewayClasses and EnvoyProxy configurations. - apiGroups: - gateway.networking.k8s.io resources: - gatewayclasses verbs: - create - update - delete - list - get - watch - apiGroups: - gateway.envoyproxy.io resources: - envoyproxies verbs: - create - update - delete - list - get - watch # 3. For Gateway API the operator needs to be able to create and reconcile a certificate # generation job. - apiGroups: - batch resources: - jobs verbs: - create - list - watch - apiGroups: - batch resources: - jobs verbs: - update resourceNames: - tigera-gateway-api-gateway-helm-certgen --- # Source: tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tigera-operator labels: k8s-app: tigera-operator subjects: - kind: ServiceAccount name: tigera-operator namespace: tigera-operator roleRef: kind: ClusterRole name: tigera-operator apiGroup: rbac.authorization.k8s.io --- # Source: tigera-operator/templates/tigera-operator/02-rolebinding-tigera-operator-secrets.yaml kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tigera-operator-secrets namespace: tigera-operator labels: k8s-app: tigera-operator subjects: - kind: ServiceAccount name: tigera-operator namespace: tigera-operator roleRef: kind: ClusterRole name: tigera-operator-secrets apiGroup: rbac.authorization.k8s.io --- # Source: tigera-operator/templates/tigera-operator/02-tigera-operator.yaml apiVersion: apps/v1 kind: Deployment metadata: name: tigera-operator namespace: tigera-operator labels: k8s-app: tigera-operator spec: replicas: 1 selector: matchLabels: name: tigera-operator template: metadata: labels: name: tigera-operator k8s-app: tigera-operator spec: nodeSelector: kubernetes.io/os: linux tolerations: - effect: NoExecute operator: Exists - effect: NoSchedule operator: Exists serviceAccountName: tigera-operator # Set the termination grace period to match how long the operator will wait for # resources to terminate when being uninstalled. terminationGracePeriodSeconds: 60 hostNetwork: true # This must be set when hostNetwork is true or else the cluster services won't resolve dnsPolicy: ClusterFirstWithHostNet containers: - name: tigera-operator image: quay.io/tigera/operator:v1.38.6 imagePullPolicy: IfNotPresent command: - operator args: # Configure tigera-operator to manage installation of the necessary CRDs. - -manage-crds=true volumeMounts: - name: var-lib-calico readOnly: true mountPath: /var/lib/calico env: - name: WATCH_NAMESPACE value: "" - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: OPERATOR_NAME value: "tigera-operator" - name: TIGERA_OPERATOR_INIT_IMAGE_VERSION value: v1.38.6 envFrom: - configMapRef: name: kubernetes-services-endpoint optional: true volumes: - name: var-lib-calico hostPath: path: /var/lib/calico