/
my-wi-ksa.yaml
36 lines (36 loc) · 971 Bytes
/
my-wi-ksa.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
---
# binds k8s service account to role
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ksa-wi-reader-binding
subjects:
- kind: ServiceAccount
name: my-wi-ksa
namespace: default
roleRef:
kind: ClusterRole
name: ksa-wi-reader
apiGroup: rbac.authorization.k8s.io
---
# role that defines permissions
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ksa-wi-reader
rules:
- apiGroups: [""]
resources: ["namespaces","nodes", "pods", "secrets", "services", "configmaps","crontabs","persistentvolumes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "replicasets", "statefulsets"] # intentionally left out 'deployments'
verbs: ["get", "list", "watch"]
---
# k8s service account
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-wi-ksa
namespace: default
annotations:
iam.gke.io/gcp-service-account: gcloud-user@${project_id}.iam.gserviceaccount.com