forked from FederatedAI/KubeFATE
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rbac-config.yaml
143 lines (143 loc) · 2.02 KB
/
rbac-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
apiVersion: v1
kind: Namespace
metadata:
name: kube-fate
labels:
name: kube-fate
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubefate-admin
namespace: kube-fate
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kubefate
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubefate-role
subjects:
- kind: ServiceAccount
name: kubefate-admin
namespace: kube-fate
---
apiVersion: v1
kind: Secret
metadata:
name: kubefate-secret
namespace: kube-fate
type: Opaque
stringData:
kubefateUsername: admin
kubefatePassword: admin
mariadbUsername: kubefate
mariadbPassword: kubefate
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: kubefate-psp
namespace: kube-fate
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kubefate-role
namespace: kube-fate
rules:
- apiGroups:
- ""
resources:
- namespaces
- configmaps
- services
- secrets
- persistentvolumeclaims
- serviceaccounts
verbs:
- get
- list
- create
- delete
- update
- patch
- apiGroups:
- ""
resources:
- pods
- pods/log
- nodes
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- get
- list
- create
- delete
- update
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- create
- delete
- update
- patch
- apiGroups:
- networking.istio.io
resources:
- gateway
- virtualservice
verbs:
- get
- create
- delete
- update
- patch
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- get
- use
- create
- delete
- update
- patch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- create
- delete
- update
- patch