{{- if .Values.rbac.enabled -}} --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ template "traefik.clusterRoleName" . }} labels: {{- include "traefik.labels" . | nindent 4 }} {{- range .Values.rbac.aggregateTo }} rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true" {{- end }} rules: - apiGroups: - extensions - networking.k8s.io resources: - ingressclasses {{- if not .Values.rbac.namespaced }} - ingresses {{- end }} verbs: - get - list - watch {{- if not .Values.rbac.namespaced }} - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch {{- if .Values.providers.kubernetesIngress.enabled }} - apiGroups: - extensions - networking.k8s.io resources: - ingresses/status verbs: - update {{- end -}} {{- if .Values.providers.kubernetesCRD.enabled }} - apiGroups: - traefik.containo.us resources: - ingressroutes - ingressroutetcps - ingressrouteudps - middlewares - middlewaretcps - tlsoptions - tlsstores - traefikservices - serverstransports verbs: - get - list - watch {{- end -}} {{- if .Values.podSecurityPolicy.enabled }} - apiGroups: - policy resourceNames: - {{ template "traefik.fullname" . }} resources: - podsecuritypolicies verbs: - use {{- end -}} {{- if .Values.experimental.kubernetesGateway.enabled }} - apiGroups: - "" resources: - namespaces verbs: - list - watch - apiGroups: - gateway.networking.k8s.io resources: - gatewayclasses - gateways - httproutes - tcproutes - tlsroutes verbs: - get - list - watch - apiGroups: - gateway.networking.k8s.io resources: - gatewayclasses/status - gateways/status - httproutes/status - tcproutes/status - tlsroutes/status verbs: - update {{- end -}} {{- end -}} {{- end -}}