Skip to content

Commit

Permalink
create a restricted clusterrolebinding for ccm in manifest template
Browse files Browse the repository at this point in the history
  • Loading branch information
@0xch4z
0xch4z committed Aug 3, 2021
1 parent 4604ec0 commit c0cd9d2
Showing 1 changed file with 32 additions and 3 deletions.
35 changes: 32 additions & 3 deletions deploy/ccm-linode-template.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,44 @@ metadata:
name: ccm-linode
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ccm-linode-clusterrole
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "watch", "list", "update", "create"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "watch", "list", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["nodes/status"]
verbs: ["get", "watch", "list", "update", "delete", "patch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "watch", "list", "update", "create", "patch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "watch", "list", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["services/status"]
verbs: ["get", "watch", "list", "update", "patch"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: system:ccm-linode
name: ccm-linode-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
# TODO: make these permissions more fine-grained
name: cluster-admin
name: ccm-linode-clusterrole
subjects:
- kind: ServiceAccount
name: ccm-linode
Expand Down

0 comments on commit c0cd9d2

Please sign in to comment.