53 lines
1.1 KiB
HCL
53 lines
1.1 KiB
HCL
|
|
resource "kubernetes_cluster_role" "this" {
|
|
count = var.create_cluster_role ? 1 : 0
|
|
|
|
metadata {
|
|
name = var.cluster_role_name
|
|
}
|
|
rule {
|
|
api_groups = ["extensions"]
|
|
resources = ["podsecuritypolicies"]
|
|
verbs = ["use"]
|
|
resource_names = [kubernetes_pod_security_policy.this.metadata.0.name]
|
|
}
|
|
rule {
|
|
api_groups = [""]
|
|
resources = ["pods"]
|
|
verbs = ["get"]
|
|
}
|
|
rule {
|
|
api_groups = [""]
|
|
resources = ["nodes"]
|
|
verbs = ["list", "watch"]
|
|
}
|
|
rule {
|
|
api_groups = [""]
|
|
resources = ["nodes/status"]
|
|
verbs = ["patch"]
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_service_account" "this" {
|
|
metadata {
|
|
name = "flannel"
|
|
namespace = var.namespace
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_cluster_role_binding" "this" {
|
|
metadata {
|
|
name = "flannel"
|
|
}
|
|
role_ref {
|
|
api_group = "rbac.authorization.k8s.io"
|
|
kind = "ClusterRole"
|
|
name = var.cluster_role_name
|
|
}
|
|
subject {
|
|
kind = "ServiceAccount"
|
|
name = kubernetes_service_account.this.metadata.0.name
|
|
namespace = kubernetes_service_account.this.metadata.0.namespace
|
|
}
|
|
}
|