Consolidate RBAC for GitOps

kadras-io · Sep 8, 2023 · c655d30 · c655d30
1 parent c3578c3
commit c655d30
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 2 deletions.
diff --git a/package/config/setup-namespaces.yml b/package/config/setup-namespaces.yml
@@ -126,7 +126,7 @@ metadata:
 spec:
   fromNamespace: #@ data.values.git.secret.namespace
 
-#! RBAC
+#! Supply Chains RBAC
 
 ---
 apiVersion: v1
@@ -180,4 +180,27 @@ subjects:
   - kind: ServiceAccount
     name: #@ data.values.service_account
 
+#! GitOps RBAC
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitops-reconciler
+  namespace: #@ namespace.name
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gitops-reconciler
+  namespace: #@ namespace.name
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: gitops-reconciler
+
 #@ end
diff --git a/test/integration/default/01-assert.yaml b/test/integration/default/01-assert.yaml
@@ -53,7 +53,7 @@ metadata:
     tekton.dev/git-0: https://github.com
     kapp.k14s.io/create-strategy: fallback-on-update
 
-#! RBAC
+#! Supply Chains RBAC
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -101,3 +101,25 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: supply-chain
+
+#! GitOps RBAC
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: gitops-reconciler
+  namespace: test-default
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: gitops-reconciler
+  namespace: test-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: gitops-reconciler