#
# These RBAC permissions enable the cluster to operate, but restrict the default/default Service
# The 'kube-admin' and 'kube-worker' users have full access
# The 'kube-system/default' ServiceAccount has full access (used by the default kube-system Pods)
# The 'default/default' ServiceAccount has no access, and so can only pull public or ECR images
#

#
# ClusterRole's
#

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
    name: full-access
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["*"]
  - nonResourceURLs: ["*"]
    verbs: ["*"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
    name: read-access
rules:
  - apiGroups: ["*"]
    resources: ["*"]
    verbs: ["get", "list", "watch"]
  - nonResourceURLs: ["*"]
    verbs: ["get", "list", "watch"]
---
#
# ClusterRoleBindings's
#

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: kube-admin
subjects:
  - kind: User
    name: kube-admin
roleRef:
  kind: ClusterRole
  name: full-access
  apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: kube-worker
subjects:
  - kind: User
    name: kube-worker
roleRef:
  kind: ClusterRole
  name: full-access
  apiGroup: rbac.authorization.k8s.io
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1alpha1
metadata:
  name: system-default-service-account
subjects:
  - kind: ServiceAccount
    namespace: kube-system
    name: default
roleRef:
  kind: ClusterRole
  name: full-access
  apiGroup: rbac.authorization.k8s.io