forked from cloud/manifests
107 lines
2.5 KiB
YAML
107 lines
2.5 KiB
YAML
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: csc-members-kubesystem
|
|
rules:
|
|
# This is necessary for "kubectl cluster-info" to work
|
|
- apiGroups: [""]
|
|
resources: ["services"]
|
|
verbs: ["list"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: csc-members-kubesystem
|
|
namespace: kube-system
|
|
subjects:
|
|
- kind: Group
|
|
name: csc-members
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: csc-members-kubesystem
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: csc-members-unnamespaced
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["nodes"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["ingressclasses"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["clusterroles"]
|
|
resourceNames:
|
|
- csc-members-kubesystem
|
|
- csc-members-unnamespaced
|
|
- csc-members-default
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: csc-members-unnamespaced
|
|
subjects:
|
|
- kind: Group
|
|
name: csc-members
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: csc-members-unnamespaced
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
# This ClusterRole must be referenced by a RoleBinding in each member's namespace.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: csc-members-default
|
|
# See https://kubernetes.io/docs/reference/kubectl/overview/#resource-types
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources:
|
|
- configmaps
|
|
- endpoints
|
|
- events
|
|
- limitranges
|
|
- persistentvolumeclaims
|
|
- pods
|
|
- pods/attach
|
|
- pods/log
|
|
- pods/portforward
|
|
- podtemplates
|
|
- replicationcontrollers
|
|
- secrets
|
|
- services
|
|
verbs: ["*"]
|
|
- apiGroups: [""]
|
|
resources: ["resourcequotas"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["apps"]
|
|
resources:
|
|
- daemonsets
|
|
- deployments
|
|
- replicasets
|
|
- statefulsets
|
|
verbs: ["*"]
|
|
- apiGroups: ["autoscaling"]
|
|
resources:
|
|
- horizontalpodautoscalers
|
|
verbs: ["*"]
|
|
- apiGroups: ["batch"]
|
|
resources: ["cronjobs", "jobs"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["extensions", "networking.k8s.io"]
|
|
resources: ["ingresses"]
|
|
# use Open Policy Agent to restrict which domains can be used
|
|
verbs: ["*"]
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources: ["networkpolicies"]
|
|
verbs: ["*"]
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources: ["roles", "rolebindings"]
|
|
verbs: ["get", "list", "watch"]
|