1
0
Fork 0
manifests/csc-clusterroles.yaml

107 lines
2.5 KiB
YAML

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: csc-members-kubesystem
rules:
# This is necessary for "kubectl cluster-info" to work
- apiGroups: [""]
resources: ["services"]
verbs: ["list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: csc-members-kubesystem
namespace: kube-system
subjects:
- kind: Group
name: csc-members
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: csc-members-kubesystem
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: csc-members-unnamespaced
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles"]
resourceNames:
- csc-members-kubesystem
- csc-members-unnamespaced
- csc-members-default
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: csc-members-unnamespaced
subjects:
- kind: Group
name: csc-members
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: csc-members-unnamespaced
apiGroup: rbac.authorization.k8s.io
---
# This ClusterRole must be referenced by a RoleBinding in each member's namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: csc-members-default
# See https://kubernetes.io/docs/reference/kubectl/overview/#resource-types
rules:
- apiGroups: [""]
resources:
- configmaps
- endpoints
- events
- limitranges
- persistentvolumeclaims
- pods
- pods/attach
- pods/log
- pods/portforward
- podtemplates
- replicationcontrollers
- secrets
- services
verbs: ["*"]
- apiGroups: [""]
resources: ["resourcequotas"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- daemonsets
- deployments
- replicasets
- statefulsets
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["*"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["*"]
- apiGroups: ["extensions", "networking.k8s.io"]
resources: ["ingresses"]
# use Open Policy Agent to restrict which domains can be used
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["roles", "rolebindings"]
verbs: ["get", "list", "watch"]