update iam helm

Author: coding-hui

installer/helm/iam/templates/rbac.yaml

@@ -0,0 +1,47 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "iam.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "iam.fullname" . }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "configmaps" ]
+    verbs: [ "get", "list", "watch" ]
+  # Rules below is used generate admission service secret
+  - apiGroups: [ "certificates.k8s.io" ]
+    resources: [ "certificatesigningrequests" ]
+    verbs: [ "get", "list", "create", "delete" ]
+  - apiGroups: [ "certificates.k8s.io" ]
+    resources: [ "certificatesigningrequests/approval" ]
+    verbs: [ "create", "update" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "create", "get", "patch" ]
+  - apiGroups: [ "scheduling.incubator.k8s.io", "scheduling.volcano.sh" ]
+    resources: [ "queues" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "" ]
+    resources: [ "services" ]
+    verbs: [ "get" ]
+  - apiGroups: [ "scheduling.incubator.k8s.io", "scheduling.volcano.sh" ]
+    resources: [ "podgroups" ]
+    verbs: [ "get", "list", "watch" ]
+
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "iam.fullname" . }}-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "iam.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "iam.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io