A ClusterRole creates a role at the cluster level and in all namespaces.
resource "kubernetes_cluster_role_v1" "example" {
metadata {
name = "terraform-example"
}
rule {
api_groups = [""]
resources = ["namespaces", "pods"]
verbs = ["get", "list", "watch"]
}
}
resource "kubernetes_cluster_role_v1" "example" {
metadata {
name = "terraform-example"
}
aggregation_rule {
cluster_role_selectors {
match_labels = {
foo = "bar"
}
match_expressions {
key = "environment"
operator = "In"
values = ["non-exists-12345"]
}
}
}
}
The following arguments are supported:
metadata
- (Required) Standard kubernetes metadata. For more info see Kubernetes referencerule
- (Optional) The PolicyRoles for this ClusterRole. For more info see Kubernetes referenceaggregation_rule
- (Optional) Describes how to build the Rules for this ClusterRole. If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be overwritten by the controller. . For more info see Kubernetes referencemetadata
annotations
- (Optional) An unstructured key value map stored with the cluster role binding that may be used to store arbitrary metadata.generate_name
- (Optional) Prefix, used by the server, to generate a unique name ONLY IF the name
field has not been provided. This value will also be combined with a unique suffix. For more info see Kubernetes referencelabels
- (Optional) Map of string keys and values that can be used to organize and categorize (scope and select) the cluster role binding.name
- (Optional) Name of the cluster role binding, must be unique. Cannot be updated. For more info see Kubernetes referencegeneration
- A sequence number representing a specific generation of the desired state.resource_version
- An opaque value that represents the internal version of this object that can be used by clients to determine when the object has changed. For more info see Kubernetes referenceuid
- The unique in time and space value for this cluster role binding. For more info see Kubernetes referencerule
api_groups
- (Optional) APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against one of the enumerated resources in any API group will be allowed.non_resource_urls
- (Optional) NonResourceURLs is a set of partial urls that a user should have access to. *s are allowed, but only as the full, final step in the path Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding. Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"), but not both.resource_names
- (Optional) ResourceNames is an optional white list of names that the rule applies to. An empty set means that everything is allowed.resources
- (Optional) Resources is a list of resources this rule applies to. '*' represents all resources.verbs
- (Required) Verbs is a list of Verbs that apply to ALL the ResourceKinds and AttributeRestrictions contained in this rule. '*' represents all kinds.aggregation_rule
cluster_role_selectors
- (Optional) A list of selectors which will be used to find ClusterRoles and create the rules.cluster_role_selectors
match_expressions
- (Optional) A list of label selector requirements. The requirements are ANDed.match_labels
- (Optional) A map of {key,value}
pairs. A single {key,value}
in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.ClusterRole can be imported using the name, e.g.
$ terraform import kubernetes_cluster_role_v1.example terraform-name