---
# 创建 sa 账号
apiVersion: v1
kind: ServiceAccount
metadata:
  # sa 账号：nginx-ingress-serviceaccount
  name: nginx-ingress-serviceaccount
  # 命名空间：ingress-nginx
  namespace: ingress-nginx

---
# rbac 授权
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  # 集群角色名称：nginx-ingress-clusterrole
  name: nginx-ingress-clusterrole
# 定义集群权限
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - endpoints
      - nodes
      - pods
      - secrets
    verbs:
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - nodes
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - services
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - "discovery.k8s.io"
      - "networking.k8s.io"
      - "coordination.k8s.io"
    resources:
      - ingresses
      - ingresses/status
      - endpointslices
      - leases
    verbs:
      - get
      - list
      - watch
      - create
      - update
  - apiGroups:
      - ""
    resources:
        - events
    verbs:
        - create
        - patch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: nginx-ingress-role
  namespace: ingress-nginx
rules:
  - apiGroups:
      - ""
    resources:
      - configmaps
      - pods
      - secrets
      - namespaces
    verbs:
      - get
  - apiGroups:
      - ""
    resources:
      - configmaps
    resourceNames:
      # Defaults to "<election-id>-<ingress-class>"
      # Here: "<ingress-controller-leader>-<nginx>"
      # This has to be adapted if you change either parameter
      # when launching the nginx-ingress-controller.
      - "ingress-controller-leader-nginx"
    verbs:
      - get
      - update
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - ""
    resources:
      - endpoints
    verbs:
      - get

---
# 角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  # 角色绑定名称：nginx-ingress-role-nisa-binding
  name: nginx-ingress-role-nisa-binding
  namespace: ingress-nginx
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: nginx-ingress-role
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx

---
# 集群角色绑定
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  # 集群角色绑定名称：nginx-ingress-clusterrole-nisa-binding
  name: nginx-ingress-clusterrole-nisa-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nginx-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: nginx-ingress-serviceaccount
    namespace: ingress-nginx