apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: csc-members-kubesystem
rules:
# This is necessary for "kubectl cluster-info" to work
- apiGroups: [""]
  resources: ["services"]
  verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: csc-members-kubesystem
  namespace: kube-system
subjects:
- kind: Group
  name: csc-members
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: csc-members-kubesystem
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: csc-members-unnamespaced
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources: ["ingressclasses"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["clusterroles"]
  resourceNames:
  - csc-members-kubesystem
  - csc-members-unnamespaced
  - csc-members-default
  verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: csc-members-unnamespaced
subjects:
- kind: Group
  name: csc-members
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: csc-members-unnamespaced
  apiGroup: rbac.authorization.k8s.io
---
# This ClusterRole must be referenced by a RoleBinding in each member's namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: csc-members-default
# See https://kubernetes.io/docs/reference/kubectl/overview/#resource-types
rules:
- apiGroups: [""]
  resources:
  - configmaps
  - endpoints
  - events
  - limitranges
  - persistentvolumeclaims
  - pods
  - pods/attach
  - pods/exec
  - pods/log
  - pods/portforward
  - podtemplates
  - replicationcontrollers
  - secrets
  - serviceaccounts
  - services
  verbs: ["*"]
- apiGroups: [""]
  resources: ["resourcequotas"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources:
  - daemonsets
  - deployments
  - deployments/scale
  - replicasets
  - statefulsets
  verbs: ["*"]
- apiGroups: ["autoscaling"]
  resources:
  - horizontalpodautoscalers
  verbs: ["*"]
- apiGroups: ["batch"]
  resources: ["cronjobs", "jobs"]
  verbs: ["*"]
- apiGroups: ["extensions", "networking.k8s.io"]
  resources: ["ingresses"]
  # use Open Policy Agent to restrict which domains can be used
  verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
  resources: ["networkpolicies"]
  verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
  resources: ["roles", "rolebindings"]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]