WIP: feat: add rbac on workload cluster for cluster autoscaler

templates/addons/cluster-autoscaler/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
     - cluster-autoscaler.yaml
+    - workload-rbac.yaml

templates/addons/cluster-autoscaler/workload-rbac.yaml

@@ -0,0 +1,151 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ${CLUSTER_NAME}-cluster-autoscaler-addon
+data:
+  cluster-autoscaler-workload-rbac.yaml: |
+    ---
+    kind: ClusterRoleBinding
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: cluster-autoscaler
+    roleRef:
+      apiGroup: rbac.authorization.k8s.io
+      kind: ClusterRole
+      name: cluster-autoscaler
+    subjects:
+    - kind: ServiceAccount
+      name: cluster-autoscaler
+      namespace: kube-system
+    ---
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: cluster-autoscaler
+      namespace: kube-system
+    ---
+    kind: ClusterRole
+    apiVersion: rbac.authorization.k8s.io/v1
+    metadata:
+      name: cluster-autoscaler
+    rules:
+      - apiGroups:
+        - ""
+        resources:
+        - namespaces
+        - persistentvolumeclaims
+        - persistentvolumes
+        - pods
+        - replicationcontrollers
+        - services
+        verbs:
+        - get
+        - list
+        - watch
+      - apiGroups:
+        - ""
+        resources:
+        - nodes
+        verbs:
+        - get
+        - list
+        - update
+        - watch
+      - apiGroups:
+        - ""
+        resources:
+        - pods/eviction
+        verbs:
+        - create
+      - apiGroups:
+        - policy
+        resources:
+        - poddisruptionbudgets
+        verbs:
+        - list
+        - watch
+      - apiGroups:
+        - storage.k8s.io
+        resources:
+        - csinodes
+        - storageclasses
+        - csidrivers
+        - csistoragecapacities
+        verbs:
+        - get
+        - list
+        - watch
+      - apiGroups:
+        - batch
+        resources:
+        - jobs
+        verbs:
+        - list
+        - watch
+      - apiGroups:
+        - apps
+        resources:
+        - daemonsets
+        - replicasets
+        - statefulsets
+        verbs:
+        - list
+        - watch
+      - apiGroups:
+        - ""
+        resources:
+        - events
+        verbs:
+        - create
+        - patch
+      - apiGroups:
+        - ""
+        resources:
+        - configmaps
+        verbs:
+        - create
+        - delete
+        - get
+        - update
+      - apiGroups:
+        - coordination.k8s.io
+        resources:
+        - leases
+        verbs:
+        - create
+        - get
+        - update
+---
+apiVersion: v1
+kind: Secret
+type: addons.cluster.x-k8s.io/resource-set
+metadata:
+  name: ${CLUSTER_NAME}-cluster-autoscaler-addon
+stringData:
+  cluster-autoscaler-workload-token.yaml: |-
+    ---
+    apiVersion: v1
+    kind: Secret
+    metadata:
+      name: cluster-autoscaler-token
+      namespace: kube-system
+      annotations:
+        kubernetes.io/service-account.name: cluster-autoscaler
+    type: kubernetes.io/service-account-token
+---
+apiVersion: addons.cluster.x-k8s.io/v1beta1
+kind: ClusterResourceSet
+metadata:
+  name: ${CLUSTER_NAME}-cluster-autoscaler
+spec:
+  clusterSelector:
+    matchLabels:
+      cluster-autoscaler: "true"
+      cluster: ${CLUSTER_NAME}
+  resources:
+  - kind: ConfigMap
+    name: ${CLUSTER_NAME}-cluster-autoscaler-addon
+  - kind: Secret
+    name: ${CLUSTER_NAME}-cluster-autoscaler-addon
+  strategy: ApplyOnce