rbac_manifests/tiller-rbac-config.yaml

   1 ---
   2 # Copyright 2019 Nokia
   3 #
   4 # Licensed under the Apache License, Version 2.0 (the "License");
   5 # you may not use this file except in compliance with the License.
   6 # You may obtain a copy of the License at
   7 #
   8 #     http://www.apache.org/licenses/LICENSE-2.0
   9 #
  10 # Unless required by applicable law or agreed to in writing, software
  11 # distributed under the License is distributed on an "AS IS" BASIS,
  12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  13 # See the License for the specific language governing permissions and
  14 # limitations under the License.
  15
  16 apiVersion: v1
  17 kind: ServiceAccount
  18 metadata:
  19   name: tiller
  20   namespace: kube-system
  21 ---
  22 apiVersion: rbac.authorization.k8s.io/v1
  23 kind: ClusterRole
  24 metadata:
  25   name: caas:tiller
  26 rules:
  27 # copied from admin role, with some limits
  28   - apiGroups:
  29     - ""
  30     resources:
  31     - pods
  32     - pods/attach
  33     - pods/exec
  34     - pods/portforward
  35     - pods/proxy
  36     verbs:
  37     - create
  38     - delete
  39     - deletecollection
  40     - get
  41     - list
  42     - patch
  43     - update
  44     - watch
  45   - apiGroups:
  46     - ""
  47     resources:
  48     - configmaps
  49     - endpoints
  50     - persistentvolumeclaims
  51     - replicationcontrollers
  52     - replicationcontrollers/scale
  53     - secrets
  54     - serviceaccounts
  55     - services
  56     - services/proxy
  57     verbs:
  58     - create
  59     - delete
  60     - deletecollection
  61     - get
  62     - list
  63     - patch
  64     - update
  65     - watch
  66   - apiGroups:
  67     - ""
  68     resources:
  69     - bindings
  70     - events
  71     - limitranges
  72     - namespaces/status
  73     - pods/log
  74     - pods/status
  75     - replicationcontrollers/status
  76     - resourcequotas
  77     - resourcequotas/status
  78     verbs:
  79     - get
  80     - list
  81     - watch
  82   - apiGroups:
  83     - ""
  84     resources:
  85     - namespaces
  86     verbs:
  87     - get
  88     - list
  89     - watch
  90   - apiGroups:
  91     - apps
  92     resources:
  93     - daemonsets
  94     - deployments
  95     - deployments/rollback
  96     - deployments/scale
  97     - replicasets
  98     - replicasets/scale
  99     - statefulsets
 100     - statefulsets/scale
 101     verbs:
 102     - create
 103     - delete
 104     - deletecollection
 105     - get
 106     - list
 107     - patch
 108     - update
 109     - watch
 110   - apiGroups:
 111     - autoscaling
 112     resources:
 113     - horizontalpodautoscalers
 114     verbs:
 115      - create
 116      - delete
 117      - deletecollection
 118      - get
 119      - list
 120      - patch
 121      - update
 122      - watch
 123   - apiGroups:
 124     - batch
 125     resources:
 126     - cronjobs
 127     - jobs
 128     verbs:
 129     - create
 130     - delete
 131     - deletecollection
 132     - get
 133     - list
 134     - patch
 135     - update
 136     - watch
 137   - apiGroups:
 138     - extensions
 139     resources:
 140     - daemonsets
 141     - deployments
 142     - deployments/rollback
 143     - deployments/scale
 144     - ingresses
 145     - networkpolicies
 146     - replicasets
 147     - replicasets/scale
 148     - replicationcontrollers/scale
 149     verbs:
 150     - create
 151     - delete
 152     - deletecollection
 153     - get
 154     - list
 155     - patch
 156     - update
 157     - watch
 158   - apiGroups:
 159     - policy
 160     resources:
 161     - poddisruptionbudgets
 162     verbs:
 163     - create
 164     - delete
 165     - deletecollection
 166     - get
 167     - list
 168     - patch
 169     - update
 170     - watch
 171   - apiGroups:
 172     - authorization.k8s.io
 173     resources:
 174     - localsubjectaccessreviews
 175     verbs:
 176     - create
 177   - apiGroups:
 178     - rbac.authorization.k8s.io
 179     resources:
 180     - rolebindings
 181     - roles
 182     verbs:
 183     - create
 184     - delete
 185     - deletecollection
 186     - get
 187     - list
 188     - patch
 189     - update
 190     - watch
 191   - apiGroups:
 192     - apiregistration.k8s.io
 193     resources:
 194     - apiservices
 195     verbs:
 196     - create
 197     - delete
 198     - deletecollection
 199     - get
 200     - list
 201     - patch
 202     - update
 203     - watch
 204   - apiGroups:
 205     - danm.k8s.io
 206     resources:
 207     - danmnets
 208     verbs:
 209     - create
 210     - delete
 211     - deletecollection
 212     - get
 213     - list
 214     - patch
 215     - update
 216     - watch
 217   - apiGroups:
 218     - admissionregistration.k8s.io
 219     resources:
 220     - mutatingwebhookconfigurations
 221     - validatingwebhookconfigurations
 222     verbs:
 223     - create
 224     - delete
 225     - deletecollection
 226     - get
 227     - list
 228     - patch
 229     - update
 230     - watch
 231
 232 ---
 233 apiVersion: rbac.authorization.k8s.io/v1
 234 kind: ClusterRoleBinding
 235 metadata:
 236   name: caas:tiller
 237 subjects:
 238 - kind: ServiceAccount
 239   name: tiller
 240   namespace: kube-system
 241 roleRef:
 242   kind: ClusterRole
 243   name: caas:tiller
 244   apiGroup: rbac.authorization.k8s.io
 245 ---
 246 apiVersion: rbac.authorization.k8s.io/v1
 247 kind: ClusterRoleBinding
 248 metadata:
 249   name: caas:tiller-psp
 250 subjects:
 251 - kind: ServiceAccount
 252   name: tiller
 253   namespace: kube-system
 254 roleRef:
 255   kind: ClusterRole
 256   name: caas:infra-psp
 257   apiGroup: rbac.authorization.k8s.io