Added node read rule.

- Now the node.go can read the node resources, as kube-proxy user.
- Added .gitreview file for ease of use.

Change-Id: If6c2e34b8486c0ebfd52d0afc1dbb0fe41197373
Signed-off-by: Szekeres, Balazs (Nokia - HU/Budapest) <balazs.szekeres@nokia.com>

diff --git a/.gitreview b/.gitreview
new file mode 100644 (file)
index 0000000..cf5bdd6
--- /dev/null
+++ b/.gitreview
@@ -0,0 +1,5 @@
+[gerrit]
+host=gerrit.akraino.org
+port=29418
+project=ta/caas-security
+defaultremote=origin

diff --git a/rbac_manifests/kube-proxy-rbac-config.yaml b/rbac_manifests/kube-proxy-rbac-config.yaml
new file mode 100644 (file)
index 0000000..78a5029
--- /dev/null
+++ b/rbac_manifests/kube-proxy-rbac-config.yaml
@@ -0,0 +1,38 @@
+---
+# Copyright 2019 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: caas:kube-proxy
+rules:
+  - apiGroups:
+    - extensions
+    resources:
+    - node
+    verbs: [ "read" ]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: caas:kube-proxy
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: caas:kube-proxy
+subjects:
+  - kind: User
+    apiGroup: rbac.authorization.k8s.io
+    name: system:kube-proxy