{{- if .Values.createServiceAccount }} kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-holmes-cluster-role namespace : {{ .Release.Namespace }} rules: {{- if .Values.customClusterRoleRules }} {{ toYaml .Values.customClusterRoleRules | indent 2 }} {{- end }} - apiGroups: - "storage.k8s.io" resources: - storageclasses verbs: - list - get - watch - apiGroups: - "metrics.k8s.io" resources: - pods - nodes verbs: - get - list - apiGroups: - "" resources: - configmaps - daemonsets - deployments - events - namespaces - persistentvolumes - persistentvolumeclaims - pods - pods/status - pods/log - replicasets - replicationcontrollers - services - serviceaccounts - endpoints verbs: - get - list - watch - apiGroups: - "" resources: - nodes verbs: - get - list - watch - apiGroups: - "apiregistration.k8s.io" resources: - apiservices verbs: - get - list - apiGroups: - "rbac.authorization.k8s.io" resources: - clusterroles - clusterrolebindings verbs: - get - list - watch - apiGroups: - "autoscaling" resources: - horizontalpodautoscalers verbs: - get - list - watch - apiGroups: - apps resources: - daemonsets - deployments - deployments/scale - replicasets - replicasets/scale - statefulsets verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - deployments - deployments/scale - ingresses - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - jobs verbs: - get - list - watch - apiGroups: - "events.k8s.io" resources: - events verbs: - get - list - apiGroups: - "apiextensions.k8s.io" resources: - "customresourcedefinitions" verbs: - "list" - "get" - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - get - list - apiGroups: - "policy" resources: - poddisruptionbudgets - podsecuritypolicies verbs: - get - list - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - get - list {{- if .Values.openshift }} - apiGroups: - apps.openshift.io resources: - deploymentconfigs verbs: - get - list - watch {{- end }} # Prometheus CRDs - apiGroups: - monitoring.coreos.com resources: - alertmanagers - alertmanagers/finalizers - alertmanagers/status - alertmanagerconfigs - prometheuses - prometheuses/finalizers - prometheuses/status - prometheusagents - prometheusagents/finalizers - prometheusagents/status - thanosrulers - thanosrulers/finalizers - thanosrulers/status - scrapeconfigs - servicemonitors - podmonitors - probes - prometheusrules verbs: - get - list - watch --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "holmes.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- if .Values.serviceAccount.annotations }} annotations: {{- with .Values.serviceAccount.annotations }} {{- toYaml . | nindent 4}} {{- end }} {{- end }} {{- if .Values.serviceAccount.imagePullSecrets }} imagePullSecrets: {{- toYaml .Values.serviceAccount.imagePullSecrets | nindent 2}} {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Release.Name }}-holmes-cluster-role-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: {{ .Release.Name }}-holmes-cluster-role subjects: - kind: ServiceAccount name: {{ include "holmes.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- if .Values.openshift }} --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ .Release.Name }}-holmes-cluster-monitoring subjects: - kind: ServiceAccount name: {{ include "holmes.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-monitoring-view {{- end }} {{- end }}