oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Set base RBAC permissions for cluster.

Browse Source
This commit is contained in:
Jonas Juselius
2017-10-10 13:10:39 +02:00
parent 8a904384ef
commit 45845a7ea7
6 changed files with 73 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
yml/busybox.yml → yaml/busybox.yml
View File

0
yml/hello.yml → yaml/hello.yml
View File

73
yaml/kube-rbac.yaml Normal file
View File

@@ -0,0 +1,73 @@
#
# These RBAC permissions enable the cluster to operate, but restrict the default/default Service
# The 'kube-admin' and 'kube-worker' users have full access
# The 'kube-system/default' ServiceAccount has full access (used by the default kube-system Pods)
# The 'default/default' ServiceAccount has no access, and so can only pull public or ECR images
#
#
# ClusterRole's
#
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: full-access
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
- nonResourceURLs: ["*"]
verbs: ["*"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: read-access
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- nonResourceURLs: ["*"]
verbs: ["get", "list", "watch"]
---
#
# ClusterRoleBindings's
#
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: kube-admin
subjects:
- kind: User
name: kube-admin
roleRef:
kind: ClusterRole
name: full-access
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: kube-worker
subjects:
- kind: User
name: kube-worker
roleRef:
kind: ClusterRole
name: full-access
apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
name: system-default-service-account
subjects:
- kind: ServiceAccount
namespace: kube-system
name: default
roleRef:
kind: ClusterRole
name: full-access
apiGroup: rbac.authorization.k8s.io

0
yml/traefik-conf.yml → yaml/traefik-conf.yml
View File

0
yml/traefik-ui.yml → yaml/traefik-ui.yml
View File

0
yml/traefik.yml → yaml/traefik.yml
View File