From 3ae52c673431cbb0dbbd2fb835fb9ee3658c0b3e Mon Sep 17 00:00:00 2001 From: roczzhang Date: Mon, 27 Nov 2023 15:24:49 +0800 Subject: [PATCH] Convergence RBAC permissions --- deploy/craned/rbac.yaml | 120 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 113 insertions(+), 7 deletions(-) diff --git a/deploy/craned/rbac.yaml b/deploy/craned/rbac.yaml index aa62c04d2..16ec973aa 100644 --- a/deploy/craned/rbac.yaml +++ b/deploy/craned/rbac.yaml @@ -1,13 +1,119 @@ apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: craned + namespace: crane-system +rules: +- apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - create +- apiGroups: + - "" + resourceNames: + - craned + resources: + - configmaps + verbs: + - get + - patch + - update +- apiGroups: + - "" + resourceNames: + - clusters-secret-store + resources: + - secrets + verbs: + - get +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - patch + - update + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: craned rules: - - apiGroups: [ '*' ] - resources: [ '*' ] - verbs: [ "*" ] +- apiGroups: + - "" + resources: + - configmaps + - pods + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - analysis.crane.io + resources: + - "*" + verbs: + - "*" +- apiGroups: + - apps + resources: + - daemonsets + - deployments + - deployments/scale + - statefulsets + - statefulsets/scale + verbs: + - get + - list + - watch + - update +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - '*' +- apiGroups: + - autoscaling.crane.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update +- apiGroups: + - prediction.crane.io + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: craned + namespace: crane-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: craned +subjects: +- kind: ServiceAccount + name: craned + namespace: crane-system --- - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -17,6 +123,6 @@ roleRef: kind: ClusterRole name: craned subjects: - - kind: ServiceAccount - name: craned - namespace: crane-system \ No newline at end of file +- kind: ServiceAccount + name: craned + namespace: crane-system \ No newline at end of file