kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-controller namespace: tekton-pipelines labels: app.kubernetes.io/component: tekton-pipelines-controller rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["list", "watch"] # The controller needs access to these configmaps for logging information and runtime configuration. - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags", "config-leader-election", "config-registry-cert"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["tekton-pipelines"] verbs: ["use"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-webhook namespace: tekton-pipelines labels: app.kubernetes.io/component: tekton-pipelines-webhook rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["list", "watch"] # The webhook needs access to these configmaps for logging information. - apiGroups: [""] resources: ["configmaps"] verbs: ["get"] resourceNames: ["config-logging", "config-observability", "config-leader-election"] - apiGroups: [""] resources: ["secrets"] verbs: ["list", "watch"] # The webhook daemon makes a reconciliation loop on webhook-certs. Whenever # the secret changes it updates the webhook configurations with the certificates # stored in the secret. - apiGroups: [""] resources: ["secrets"] verbs: ["get", "update"] resourceNames: ["webhook-certs"] - apiGroups: ["policy"] resources: ["podsecuritypolicies"] resourceNames: ["tekton-pipelines"] verbs: ["use"] --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tekton-pipelines-leader-election namespace: tekton-pipelines rules: # We uses leases for leaderelection - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]