kyverno/vendor/k8s.io/kubernetes/cluster/addons/calico-policy-controller/calico-clusterrole.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: calico
  namespace: kube-system
  labels:
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
rules:
  - apiGroups: [""]
    resources:
      - namespaces
      - serviceaccounts
    verbs:
      - get
      - list
      - watch
  - apiGroups: [""]
    resources:
      - endpoints
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - services
    verbs:
      - get
  - apiGroups: [""]
    resources:
      - pods/status
    verbs:
      - update
      - patch
  - apiGroups: [""]
    resources:
      - nodes
    verbs:
      - get
      - list
      - update
      - watch
  - apiGroups: ["networking.k8s.io"]
    resources:
      - networkpolicies
    verbs:
      - watch
      - list
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - felixconfigurations
      - bgppeers
      - bgpconfigurations
      - ippools
      - globalnetworkpolicies
      - globalnetworksets
      - networkpolicies
      - clusterinformations
      - hostendpoints
    verbs:
      - create
      - get
      - list
      - update
      - watch
  # Used in Calico v2.6 only - can be removed after upgrade.
  - apiGroups: [""]
    resources:
      - pods
    verbs:
      - get
      - list
      - watch
      - patch
  - apiGroups: ["crd.projectcalico.org"]
    resources:
      - globalfelixconfigs
      - globalbgpconfigs
    verbs:
      - create
      - get
      - list
      - update
      - watch
  - apiGroups: ["extensions"]
    resources:
      - networkpolicies
    verbs:
      - get
      - list
      - watch
update vendor 2019-10-23 23:19:53 -07:00			`kind: ClusterRole`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`metadata:`
			`name: calico`
			`namespace: kube-system`
			`labels:`
			`kubernetes.io/cluster-service: "true"`
			`addonmanager.kubernetes.io/mode: Reconcile`
			`rules:`
			`- apiGroups: [""]`
			`resources:`
			`- namespaces`
			`- serviceaccounts`
			`verbs:`
			`- get`
			`- list`
			`- watch`
			`- apiGroups: [""]`
			`resources:`
			`- endpoints`
			`verbs:`
			`- get`
			`- apiGroups: [""]`
			`resources:`
			`- services`
			`verbs:`
			`- get`
			`- apiGroups: [""]`
			`resources:`
			`- pods/status`
			`verbs:`
			`- update`
			`- patch`
			`- apiGroups: [""]`
			`resources:`
			`- nodes`
			`verbs:`
			`- get`
			`- list`
			`- update`
			`- watch`
			`- apiGroups: ["networking.k8s.io"]`
			`resources:`
			`- networkpolicies`
			`verbs:`
			`- watch`
			`- list`
			`- apiGroups: ["crd.projectcalico.org"]`
			`resources:`
			`- felixconfigurations`
			`- bgppeers`
			`- bgpconfigurations`
			`- ippools`
			`- globalnetworkpolicies`
			`- globalnetworksets`
			`- networkpolicies`
			`- clusterinformations`
			`- hostendpoints`
			`verbs:`
			`- create`
			`- get`
			`- list`
			`- update`
			`- watch`
			`# Used in Calico v2.6 only - can be removed after upgrade.`
			`- apiGroups: [""]`
			`resources:`
			`- pods`
			`verbs:`
			`- get`
			`- list`
			`- watch`
			`- patch`
			`- apiGroups: ["crd.projectcalico.org"]`
			`resources:`
			`- globalfelixconfigs`
			`- globalbgpconfigs`
			`verbs:`
			`- create`
			`- get`
			`- list`
			`- update`
			`- watch`
			`- apiGroups: ["extensions"]`
			`resources:`
			`- networkpolicies`
			`verbs:`
			`- get`
			`- list`
			`- watch`