Last active
November 23, 2021 01:38
-
-
Save jicowan/c41308cb4de93cd1878f7dc9b3c1ab71 to your computer and use it in GitHub Desktop.
RBAC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: sock-shop | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: polaris | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: falco | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: cert-manager | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: amazon-cloudwatch | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: gatekeeper | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: security-profiles-operator | |
| --- | |
| kind: Namespace | |
| apiVersion: v1 | |
| metadata: | |
| name: seccomp-test | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| creationTimestamp: null | |
| name: allow-all-cluster-role | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - componentstatuses | |
| - pods | |
| - endpoints | |
| - events | |
| - limitranges | |
| - bindings | |
| - persistentvolumes | |
| - nodes | |
| - replicationcontrollers | |
| - podtemplates | |
| - secrets | |
| - services | |
| - configmaps | |
| - resourcequotas | |
| - serviceaccounts | |
| - persistentvolumeclaims | |
| - namespaces | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - apiregistration.k8s.io | |
| resources: | |
| - apiservices | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - apps | |
| resources: | |
| - deployments | |
| - controllerrevisions | |
| - replicasets | |
| - daemonsets | |
| - statefulsets | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - events.k8s.io | |
| resources: | |
| - events | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - authentication.k8s.io | |
| resources: | |
| - tokenreviews | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - authorization.k8s.io | |
| resources: | |
| - localsubjectaccessreviews | |
| - subjectaccessreviews | |
| - selfsubjectrulesreviews | |
| - selfsubjectaccessreviews | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - autoscaling | |
| resources: | |
| - horizontalpodautoscalers | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - batch | |
| resources: | |
| - jobs | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - batch | |
| resources: | |
| - cronjobs | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - certificates.k8s.io | |
| resources: | |
| - certificatesigningrequests | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - networking.k8s.io | |
| resources: | |
| - ingresses | |
| - ingressclasses | |
| - networkpolicies | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - extensions | |
| resources: | |
| - ingresses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - policy | |
| resources: | |
| - podsecuritypolicies | |
| - poddisruptionbudgets | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - rbac.authorization.k8s.io | |
| resources: | |
| - rolebindings | |
| - roles | |
| - clusterrolebindings | |
| - clusterroles | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - storage.k8s.io | |
| resources: | |
| - csinodes | |
| - storageclasses | |
| - volumeattachments | |
| - csidrivers | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - admissionregistration.k8s.io | |
| resources: | |
| - mutatingwebhookconfigurations | |
| - validatingwebhookconfigurations | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - apiextensions.k8s.io | |
| resources: | |
| - customresourcedefinitions | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - scheduling.k8s.io | |
| resources: | |
| - priorityclasses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - coordination.k8s.io | |
| resources: | |
| - leases | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - node.k8s.io | |
| resources: | |
| - runtimeclasses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - discovery.k8s.io | |
| resources: | |
| - endpointslices | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - flowcontrol.apiserver.k8s.io | |
| resources: | |
| - prioritylevelconfigurations | |
| - flowschemas | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - config.gatekeeper.sh | |
| resources: | |
| - configs | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - crd.k8s.amazonaws.com | |
| resources: | |
| - eniconfigs | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - eks.services.k8s.aws | |
| resources: | |
| - clusters | |
| - fargateprofiles | |
| - nodegroups | |
| - addons | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - elbv2.k8s.aws | |
| resources: | |
| - targetgroupbindings | |
| - ingressclassparams | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - mutations.gatekeeper.sh | |
| resources: | |
| - assignmetadata | |
| - assign | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - services.k8s.aws | |
| resources: | |
| - adoptedresources | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - templates.gatekeeper.sh | |
| resources: | |
| - constrainttemplates | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - status.gatekeeper.sh | |
| resources: | |
| - constraintpodstatuses | |
| - constrainttemplatepodstatuses | |
| - mutatorpodstatuses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - vpcresources.k8s.aws | |
| resources: | |
| - securitygrouppolicies | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - metrics.k8s.io | |
| resources: | |
| - nodes | |
| - pods | |
| verbs: | |
| - '*' | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: deny-secrets-cluster-role | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - serviceaccounts | |
| - endpoints | |
| - replicationcontrollers | |
| - services | |
| - bindings | |
| - nodes | |
| - persistentvolumeclaims | |
| - podtemplates | |
| - persistentvolumes | |
| - resourcequotas | |
| - configmaps | |
| - events | |
| - componentstatuses | |
| - limitranges | |
| - namespaces | |
| - pods | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - apiregistration.k8s.io | |
| resources: | |
| - apiservices | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - apps | |
| resources: | |
| - replicasets | |
| - deployments | |
| - controllerrevisions | |
| - daemonsets | |
| - statefulsets | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - events.k8s.io | |
| resources: | |
| - events | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - authentication.k8s.io | |
| resources: | |
| - tokenreviews | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - authorization.k8s.io | |
| resources: | |
| - selfsubjectaccessreviews | |
| - localsubjectaccessreviews | |
| - selfsubjectrulesreviews | |
| - subjectaccessreviews | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - autoscaling | |
| resources: | |
| - horizontalpodautoscalers | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - batch | |
| resources: | |
| - cronjobs | |
| - jobs | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - certificates.k8s.io | |
| resources: | |
| - certificatesigningrequests | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - networking.k8s.io | |
| resources: | |
| - ingresses | |
| - ingressclasses | |
| - networkpolicies | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - extensions | |
| resources: | |
| - ingresses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - policy | |
| resources: | |
| - poddisruptionbudgets | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - policy | |
| resources: | |
| - podsecuritypolicies | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - rbac.authorization.k8s.io | |
| resources: | |
| - clusterroles | |
| - roles | |
| - clusterrolebindings | |
| - rolebindings | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - storage.k8s.io | |
| resources: | |
| - volumeattachments | |
| - csinodes | |
| - csidrivers | |
| - storageclasses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - storage.k8s.io | |
| resources: | |
| - csistoragecapacities | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - admissionregistration.k8s.io | |
| resources: | |
| - validatingwebhookconfigurations | |
| - mutatingwebhookconfigurations | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - apiextensions.k8s.io | |
| resources: | |
| - customresourcedefinitions | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - scheduling.k8s.io | |
| resources: | |
| - priorityclasses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - coordination.k8s.io | |
| resources: | |
| - leases | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - node.k8s.io | |
| resources: | |
| - runtimeclasses | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - discovery.k8s.io | |
| resources: | |
| - endpointslices | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - flowcontrol.apiserver.k8s.io | |
| resources: | |
| - flowschemas | |
| - prioritylevelconfigurations | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - crd.k8s.amazonaws.com | |
| resources: | |
| - eniconfigs | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - vpcresources.k8s.aws | |
| resources: | |
| - securitygrouppolicies | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - secrets | |
| verbs: | |
| - 'list' | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRole | |
| metadata: | |
| name: catch-all | |
| rules: | |
| - apiGroups: | |
| - "" | |
| resources: | |
| - namespaces | |
| - nodes | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - admissionregistration.k8s.io | |
| resources: | |
| - mutatingwebhookconfigurations | |
| - validatingwebhookconfigurations | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - apiextensions.k8s.io | |
| resources: | |
| - customresourcedefinitions | |
| verbs: | |
| - '*' | |
| - apiGroups: | |
| - rbac.authorization.k8s.io | |
| resources: | |
| - clusterrolebindings | |
| - clusterroles | |
| verbs: | |
| - '*' | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-kube-system | |
| namespace: kube-system | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-amazon-cloudwatch | |
| namespace: amazon-cloudwatch | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-default | |
| namespace: default | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-cert-manager | |
| namespace: cert-manager | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-falco | |
| namespace: falco | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-gatekeeper | |
| namespace: gatekeeper | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-polaris | |
| namespace: polaris | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-security-profiles-operator | |
| namespace: security-profiles-operator | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: allow-all-seccomp-test | |
| namespace: seccomp-test | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: allow-all-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: deny-secrets | |
| namespace: sock-shop | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: deny-secrets-cluster-role | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: ClusterRoleBinding | |
| metadata: | |
| name: catch-all | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: ClusterRole | |
| name: catch-all | |
| subjects: | |
| - apiGroup: rbac.authorization.k8s.io | |
| kind: Group | |
| name: pseudo-admin |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment