kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:network-policies
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: Reconcile
rules:
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
- watch
- list
# Watch for changes to Kubernetes NetworkPolicies.
- apiGroups: ["networking.k8s.io"]
resources:
- networkpolicies
verbs:
- watch
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-network-policies
labels:
addonmanager.kubernetes.io/mode: Reconcile
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:network-policies
subjects:
- kind: ServiceAccount
name: kube-network-policies
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-network-policies
namespace: kube-system
labels:
k8s-app: kube-network-policies
kubernetes.io/cluster-service: "true"
addonmanager.kubernetes.io/mode: Reconcile