-
Notifications
You must be signed in to change notification settings - Fork 1
Webapp RBAC
Jibin Mathews edited this page Mar 27, 2019
·
4 revisions
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: blockcluster-webapp
rules:
- nonResourceURLs:
- '/ping'
- '/version'
verbs: ['get']
- apiGroups: ['', 'metrics.k8s.io']
resources:
- 'nodes'
verbs: ['get', 'list', 'watch', 'patch', 'create', 'delete', 'update']
- apiGroups: ['', 'metrics.k8s.io', 'batch']
resources:
- 'cronjobs'
- 'jobs'
verbs: ['get', 'list', 'watch', 'delete', 'create', 'update', 'patch']
- apiGroups: ['', 'authentication.k8s.io']
resources:
- 'tokenreviews'
verbs: ['create', 'list', 'watch', 'delete', 'update', 'patch', 'get']
- apiGroups: ['', 'authorization.k8s.io']
resources:
- 'localsubjectaccessreviews'
- 'subjectaccessreviews'
verbs: ['create', 'list', 'watch', 'delete', 'update', 'patch', 'get']
- apiGroups: ['', 'apps', 'extensions']
resources:
- 'deployments'
- 'ingresses'
- 'ingresses/status'
- 'replicasets'
- 'namespaces'
- 'statefulsets'
verbs: ['get', 'delete', 'update', 'patch', 'list', 'watch', 'create']
- apiGroups: ['', 'certificates.k8s.io']
resources:
- 'certificatesigningrequests'
verbs: ['get', 'delete', 'update', 'patch', 'list', 'watch', 'create']
- apiGroups: ['']
resources:
- 'nodes/status'
- 'pods/status'
- 'pods/eviction'
- 'pods'
- 'events'
- 'services'
- 'horizontalpodautoscalers'
- 'statefulsets'
- 'persistentvolumeclaims'
- 'ingresses'
- 'persistentvolumes'
- 'configmaps'
- 'endpoints'
- 'storageclasses'
verbs: ['get', 'delete', 'update', 'patch', 'list', 'watch', 'create']
- apiGroups: ['', 'rbac.authorization.k8s.io']
resources:
- 'clusterroles'
- 'clusterrolebindings'
- 'roles'
- 'rolebindings'
- 'endpoints'
- 'serviceaccounts'
verbs: ['get', 'delete', 'update', 'patch', 'list', 'watch', 'create']
- apiGroups: ['', 'storage.k8s.io']
resources:
- 'storageclasses'
verbs: ['get', 'delete', 'update', 'patch', 'list', 'watch', 'create']
- apiGroups: ['']
resources:
- 'secrets'
verbs: ['delete', 'create', 'get', 'list', 'watch', 'update', 'patch']
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: blockcluster-webapp
namespace: blockcluster
automountServiceAccountToken: true
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: blockcluster-webapp
namespace: blockcluster
subjects:
- kind: ServiceAccount
name: blockcluster-webapp
namespace: blockcluster
roleRef:
kind: ClusterRole
name: blockcluster-webapp
apiGroup: rbac.authorization.k8s.io