-
-
Save zchee/ce70bda21c3c0de32c31cd18f189e486 to your computer and use it in GitHub Desktop.
Kubernetes RBAC for Spinnaker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Authorize read-write in the default namespace. Add this Role and the below RoleBinding to every namespace spinnaker deploys artifacts to | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: Role | |
| metadata: | |
| name: spinnaker-role | |
| namespace: default | |
| rules: | |
| - apiGroups: [""] | |
| resources: ["namespaces", "events", "replicationcontrollers", "serviceaccounts", "pods/logs"] | |
| verbs: ["get", "list"] | |
| - apiGroups: [""] | |
| resources: ["pods", "services", "secrets", "configmaps"] | |
| verbs: ["*"] | |
| - apiGroups: ["apps"] | |
| resources: ["deployments", "statefulsets"] | |
| verbs: ["*"] | |
| - apiGroups: ["autoscaling"] | |
| resources: ["horizontalpodautoscalers"] | |
| verbs: ["list", "get"] | |
| - apiGroups: ["apps"] | |
| resources: ["controllerrevisions"] | |
| verbs: ["list"] | |
| - apiGroups: ["extensions", "app"] | |
| resources: ["deployments", "replicasets", "ingresses"] | |
| verbs: ["*"] | |
| --- | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: spinnaker-role-binding | |
| namespace: default | |
| roleRef: | |
| apiGroup: rbac.authorization.k8s.io | |
| kind: Role | |
| name: spinnaker-role | |
| subjects: | |
| - namespace: spinnaker | |
| kind: ServiceAccount | |
| name: default | |
| --- | |
| # Authorize cluster-wide readonly permissions | |
| kind: ClusterRole | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: cluster-read-all | |
| rules: | |
| - | |
| apiGroups: | |
| - "" | |
| - apps | |
| - autoscaling | |
| - batch | |
| - extensions | |
| - policy | |
| - rbac.authorization.k8s.io | |
| - storage.k8s.io | |
| - apiextensions.k8s.io | |
| - crd.k8s.amazonaws.com | |
| - apiregistration.k8s.io | |
| resources: | |
| - componentstatuses | |
| - configmaps | |
| - daemonsets | |
| - deployments | |
| - events | |
| - endpoints | |
| - horizontalpodautoscalers | |
| - ingress | |
| - ingresses | |
| - jobs | |
| - cronjobs | |
| - limitranges | |
| - namespaces | |
| - nodes | |
| - pods | |
| - persistentvolumes | |
| - persistentvolumeclaims | |
| - resourcequotas | |
| - replicasets | |
| - replicationcontrollers | |
| - serviceaccounts | |
| - services | |
| - clusterroles | |
| - clusterrolebindings | |
| - storageclasses | |
| - statefulsets | |
| - secrets | |
| - networkpolicies | |
| - rolebindings | |
| - roles | |
| - pods/log | |
| - poddisruptionbudgets | |
| - customresourcedefinitions | |
| - controllerrevisions | |
| - eniconfigs | |
| - apiservices | |
| verbs: | |
| - get | |
| - watch | |
| - list | |
| - nonResourceURLs: ["*"] | |
| verbs: | |
| - get | |
| - watch | |
| - list | |
| --- | |
| kind: ClusterRoleBinding | |
| apiVersion: rbac.authorization.k8s.io/v1 | |
| metadata: | |
| name: spinnaker-cluster-read-all | |
| subjects: | |
| - kind: ServiceAccount | |
| name: default | |
| namespace: spinnaker | |
| roleRef: | |
| kind: ClusterRole | |
| name: cluster-read-all | |
| apiGroup: rbac.authorization.k8s.io |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment