Add Role and RoleBinding

Add Role and RoleBinding for nghttpx-secret.  Move permissions for
events and leases to Role.

README.md

@@ -197,23 +197,8 @@ port specified by `--nghttpx-https-port` flag.
 > v0.66.0, copy Secret `nghttpx-quic-km` to `nghttpx-km`, and upgrade
 > nghttpx-ingress-controller.
 
-HTTP/3 requires writing Secret and extra capabilities to load eBPF
-program.  For writing Secret, you might need to add the following
-entry to ClusterRole:
-
-```yaml
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-...
-rules:
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "update", "patch"]
-...
-```
-
-Add the following capabilities to the nghttpx-ingress-controller
-container:
+HTTP/3 requires the extra capabilities to load eBPF program.  Add the
+following capabilities to the nghttpx-ingress-controller container:
 
 ```yaml
 apiVersion: apps/v1

examples/default/service-account.yaml

@@ -21,22 +21,46 @@ rules:
 - apiGroups: ["discovery.k8s.io"]
   resources: ["endpointslices"]
   verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+subjects:
+- kind: ServiceAccount
+  name: ingress
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: ingress
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+  namespace: kube-system
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "update", "patch"]
 - apiGroups: ["events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: ingress
+  namespace: kube-system
 subjects:
 - kind: ServiceAccount
   name: ingress
   namespace: kube-system
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: ingress
   apiGroup: rbac.authorization.k8s.io

examples/proxyproto/02-nghttpx-rbac.yaml

@@ -43,13 +43,6 @@ rules:
       - get
       - list
       - watch
-  - apiGroups:
-      - "events.k8s.io"
-    resources:
-        - events
-    verbs:
-        - create
-        - patch
   - apiGroups:
       - "networking.k8s.io"
     resources:
@@ -107,6 +100,21 @@ rules:
       - get
       - create
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - create
+      - update
+      - patch
+  - apiGroups:
+      - "events.k8s.io"
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
   - apiGroups:
       - "coordination.k8s.io"
     resources:

rc.yaml

@@ -77,28 +77,47 @@ rules:
 - apiGroups: ["discovery.k8s.io"]
   resources: ["endpointslices"]
   verbs: ["get", "list", "watch"]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+subjects:
+- kind: ServiceAccount
+  name: ingress
+  namespace: kube-system
+roleRef:
+  kind: ClusterRole
+  name: ingress
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ingress
+  namespace: kube-system
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "update", "patch"]
 - apiGroups: ["events.k8s.io"]
   resources: ["events"]
   verbs: ["create", "patch"]
 - apiGroups: ["coordination.k8s.io"]
   resources: ["leases"]
   verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-# Permission to write Secret is required for HTTP/3.
-# You can remove it if HTTP/3 is not used.
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["create", "update", "patch"]
 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: ingress
+  namespace: kube-system
 subjects:
 - kind: ServiceAccount
   name: ingress
   namespace: kube-system
 roleRef:
-  kind: ClusterRole
+  kind: Role
   name: ingress
   apiGroup: rbac.authorization.k8s.io
 ---