kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: katib-cert-generator
rules:
  - apiGroups:
      - ""
    resources:
      - secrets
    verbs:
      - get
      - create
      - delete
  - apiGroups:
      - batch
    resources:
      - jobs
    verbs:
      - get
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
      - mutatingwebhookconfigurations
    verbs:
      - get
      - patch
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests
    verbs:
      - get
      - create
      - delete
  - apiGroups:
      - certificates.k8s.io
    resources:
      - certificatesigningrequests/approval
    verbs:
      - update
  - apiGroups:
      - certificates.k8s.io
    resources:
      - signers
    resourceNames:
      - kubernetes.io/*
    verbs:
      - approve
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: katib-cert-generator
  namespace: kubeflow
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: katib-cert-generator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: katib-cert-generator
subjects:
  - kind: ServiceAccount
    name: katib-cert-generator
    namespace: kubeflow