From af078b2bf3d3184d6b6050a97bf07bcc0436e361 Mon Sep 17 00:00:00 2001 From: Eneko Fernandez Date: Fri, 21 Oct 2022 10:26:09 +0100 Subject: [PATCH] add rbac leaf --- .../pentest-leaf/rbac/canary-reader.yaml | 43 +++++++++++++++++ .../pentest-leaf/rbac/wego-admin.yaml | 46 +++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 eksctl-clusters/clusters/pentest-leaf/rbac/canary-reader.yaml create mode 100644 eksctl-clusters/clusters/pentest-leaf/rbac/wego-admin.yaml diff --git a/eksctl-clusters/clusters/pentest-leaf/rbac/canary-reader.yaml b/eksctl-clusters/clusters/pentest-leaf/rbac/canary-reader.yaml new file mode 100644 index 000000000..7838f56da --- /dev/null +++ b/eksctl-clusters/clusters/pentest-leaf/rbac/canary-reader.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: canary-reader-role-binding +subjects: + - kind: User + name: wego-admin + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: department-engineering-employees@weave.works # added for Google OIDC support + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: canary-reader + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: canary-reader +rules: + - apiGroups: [""] + resources: ["events", "services"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["*"] + verbs: ["get", "list"] + - apiGroups: ["autoscaling"] + resources: ["*"] + verbs: ["get", "list"] + - apiGroups: ["flagger.app"] + resources: ["canaries", "metrictemplates"] + verbs: ["get", "list", "watch"] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list"] + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: ["kustomizations"] + verbs: ["get", "list"] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories"] + verbs: ["get", "list"] diff --git a/eksctl-clusters/clusters/pentest-leaf/rbac/wego-admin.yaml b/eksctl-clusters/clusters/pentest-leaf/rbac/wego-admin.yaml new file mode 100644 index 000000000..df0b61fca --- /dev/null +++ b/eksctl-clusters/clusters/pentest-leaf/rbac/wego-admin.yaml @@ -0,0 +1,46 @@ +# +# https://docs.gitops.weave.works/docs/cluster-management/getting-started/#add-common-rbac-to-the-repo +# +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: wego-admin-cluster-role-binding +subjects: + - kind: User + name: wego-admin + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: department-engineering-employees@weave.works # added for Google OIDC support + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: wego-admin-cluster-role + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: wego-admin-cluster-role +rules: + - apiGroups: [""] + resources: ["secrets", "pods"] + verbs: ["get", "list"] + - apiGroups: ["apps"] + resources: ["deployments", "replicasets"] + verbs: ["get", "list"] + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + resources: ["kustomizations"] + verbs: ["get", "list", "patch"] + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: ["helmreleases"] + verbs: ["get", "list", "patch"] + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories"] + verbs: ["get", "list", "patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["get", "watch", "list"] + - apiGroups: ["pac.weave.works"] + resources: ["policies"] + verbs: ["get", "list"]