certificates/autocert/install/03-rbac.yaml

# Create a ClusterRole for managing autocert secrets, which should
# only exist in namespaces with autocert enabled and should always
# be labeled `autocert.step.sm/token: true`.
#
# To create this ClusterRole you need cluster-admin privileges. On
# GKE you can give yourself cluster-admin privileges using the
# following command:
#
# kubectl create clusterrolebinding cluster-admin-binding \
#  --clusterrole cluster-admin \
#  --user $(gcloud config get-value account)

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: autocert-secret-management
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["create", "delete"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: autocert-secret-management
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: autocert-secret-management
subjects:
- kind: ServiceAccount
  name: default
  namespace: step