apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null name: {{ include "actions-runner-controller.managerRoleName" . }} rules: - apiGroups: - actions.summerwind.dev resources: - horizontalrunnerautoscalers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - horizontalrunnerautoscalers/finalizers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - horizontalrunnerautoscalers/status verbs: - get - patch - update - apiGroups: - actions.summerwind.dev resources: - runnerdeployments verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runnerdeployments/finalizers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runnerdeployments/status verbs: - get - patch - update - apiGroups: - actions.summerwind.dev resources: - runnerreplicasets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runnerreplicasets/finalizers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runnerreplicasets/status verbs: - get - patch - update - apiGroups: - actions.summerwind.dev resources: - runners verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runners/finalizers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runners/status verbs: - get - patch - update - apiGroups: - actions.summerwind.dev resources: - runnersets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runnersets/finalizers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - actions.summerwind.dev resources: - runnersets/status verbs: - get - patch - update - apiGroups: - "apps" resources: - statefulsets verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "apps" resources: - statefulsets/finalizers verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - persistentvolumeclaims verbs: - delete - get - list - patch - update - watch - apiGroups: - "" resources: - persistentvolumes verbs: - delete - get - list - patch - update - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - list - update - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - update - watch - apiGroups: - "" resources: - pods/finalizers verbs: - create - delete - get - list - patch - update - watch {{- if .Values.runner.statusUpdateHook.enabled }} - apiGroups: - "" resources: - serviceaccounts verbs: - create - delete - get - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings verbs: - create - delete - get - apiGroups: - rbac.authorization.k8s.io resources: - roles verbs: - create - delete - get {{- end }} {{- if .Values.rbac.allowGrantingKubernetesContainerModePermissions }} {{/* These permissions are required by ARC to create RBAC resources for the runner pod to use the kubernetes container mode. */}} {{/* See https://github.com/actions/actions-runner-controller/pull/1268/files#r917331632 */}} - apiGroups: - "" resources: - pods/exec verbs: - create - get - apiGroups: - "" resources: - pods/log verbs: - get - list - watch - apiGroups: - "batch" resources: - jobs verbs: - get - list - create - delete {{- end }}