From 45589089104dca7a9c8ac02d574bfc3c8f343dc8 Mon Sep 17 00:00:00 2001
From: Sergey Nuzdhin <ipaq.lw@gmail.com>
Date: Tue, 19 Sep 2017 19:52:50 +0200
Subject: [PATCH] Create RBAC policy for cert-manager #34

---
 README.md      |  6 ++++--
 docs/rbac.yaml | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 docs/rbac.yaml

diff --git a/README.md b/README.md
index 8b7ea843e..5cb5a8345 100644
--- a/README.md
+++ b/README.md
@@ -49,9 +49,11 @@ To deploy the latest version of cert-manager using Helm, run:
 $ helm install --name cert-manager --namespace kube-system contrib/charts/cert-manager
 ```
 
-**NOTE**
+#### Deploy RBAC roles
 
-* There are currently no official RBAC roles defined for cert-manager (see [#34](https://github.com/jetstack-experimental/cert-manager/issues/34))
+```
+$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/rbac.yaml
+```
 
 ### 2. Set up letsencrypt staging issuer
 
diff --git a/docs/rbac.yaml b/docs/rbac.yaml
new file mode 100644
index 000000000..808a49af1
--- /dev/null
+++ b/docs/rbac.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cert-manager
+rules:
+- apiGroups: ["certmanager.k8s.io"]
+  resources: ["certificates", "issuers"]
+  verbs: ["get", "list", "watch", "update", "create"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get", "list", "watch", "update", "create", "delete"]
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["get", "list", "watch", "update", "create", "patch"]
+- apiGroups: [""]
+  resources: ["endpoints"]
+  verbs: ["get", "put", "create", "update", "list", "watch"]
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["list","watch","get", "create", "update", "delete"]
+- apiGroups: ["extensions"]
+  resources: ["ingresses"]
+  verbs: ["list","watch","get", "update", "delete", "create"]
+- apiGroups: ["batch"]
+  resources: ["jobs"]
+  verbs: ["list","watch","update","create","delete", "get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cert-manager-binding
+  namespace: default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager
+subjects:
+- namespace: default
+  kind: ServiceAccount
+  name: default