apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: system:controller:glbc
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups: [""]
  resources: ["configmaps"]
  verbs: ["get", "list", "watch", "update", "create", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: system:controller:glbc
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["events"]
  verbs: ["get", "list", "watch", "update", "create", "patch"]
- apiGroups: [""]
  resources: ["endpoints", "services", "pods", "nodes", "namespaces"]
  verbs: ["get", "list", "watch"]
# TODO: switch to patch services/status
# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L339-L342
# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/pkg/neg/controller.go#L359-L361
- apiGroups: [""]
  resources: ["services"]
  verbs: ["update", "patch"]
- apiGroups: ["extensions", "networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["get", "list", "watch"]
# For now, GLBC annotates ingress resources with various state and statuses: 
# https://github.com/kubernetes/ingress-gce/blob/50d49b077d9ab4362a02fae05f94e433cd3f08dc/pkg/controller/controller.go#L579
# TODO(rramkumar1): Remove unnecessary `update` permission once statuses are propagated through `ingresses/status`
- apiGroups: ["extensions", "networking.k8s.io"]
  resources: ["ingresses"]
  verbs: ["update"]
- apiGroups: ["extensions", "networking.k8s.io"]
  resources: ["ingresses/status"]
  verbs: ["update"]
# GLBC ensures that the `cloud.google.com/backendconfigs` CRD exists in a desired state:
# https://github.com/kubernetes/ingress-gce/blob/4918eb2f0f484f09ac9e5a975907a9b16ed2b344/cmd/glbc/main.go#L93
# TODO(rramkumar1): https://github.com/kubernetes/ingress-gce/issues/744
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "watch", "update", "create", "patch"]
- apiGroups: ["cloud.google.com"]
  resources: ["backendconfigs"]
  verbs: ["get", "list", "watch", "update", "create", "patch"]