Merge commit 'fe564d72279f4ab061b961dd528623f0ed272667' as 'cluster-config'
This commit is contained in:
@@ -0,0 +1,184 @@
|
||||
# ClusterRole to aggregate permissions needed to use respectRBAC
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: gitops-shared-cluster-access
|
||||
aggregationRule:
|
||||
clusterRoleSelectors:
|
||||
- matchLabels:
|
||||
gitops/aggregate-to-gitops-shared: "true"
|
||||
rules: []
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: gitops-shared-cluster-access-view
|
||||
labels:
|
||||
gitops/aggregate-to-gitops-shared: "true"
|
||||
# Use the aggrated view permission to determine what resources can be deployed.
|
||||
#
|
||||
# Note that write permissions for these resources in specific namespaces
|
||||
# are determined by the cluster role granted via the "managed-by" label.
|
||||
# You still need to grant the controller cluster level list permissions
|
||||
# to pass the SubjectAccessReview. The view role gives get and watch as well
|
||||
# so if you want to restrict permissions to just list you need to maintain
|
||||
# your own hand-crafted list which turns out to be burdensome.
|
||||
aggregationRule:
|
||||
clusterRoleSelectors:
|
||||
- matchLabels:
|
||||
rbac.authorization.k8s.io/aggregate-to-view: "true"
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: gitops-shared-cluster-access-base
|
||||
labels:
|
||||
gitops/aggregate-to-gitops-shared: "true"
|
||||
rules:
|
||||
# Base permissions the applicaton-controller needs for respectRBAC separate from resources
|
||||
# grant read/write permissions so Argo CD UI and controllers can update status of resources.
|
||||
- apiGroups:
|
||||
- argoproj.io
|
||||
resources:
|
||||
- applications
|
||||
- applicationsets
|
||||
- appprojects
|
||||
- rolloutmanagers
|
||||
- rollouts
|
||||
verbs:
|
||||
- "*"
|
||||
# SubjectAccessReview needed for respectRBAC=strict setting in Argo CD
|
||||
- apiGroups:
|
||||
- authorization.k8s.io
|
||||
resources:
|
||||
- selfsubjectaccessreviews
|
||||
verbs:
|
||||
- create
|
||||
# Needs ability to list projects for some reason
|
||||
- apiGroups:
|
||||
- config.openshift.io
|
||||
resources:
|
||||
- "*"
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
# Hand-crafted list of what we want to have Argo CD be able to use, turns
|
||||
# out list becomes huge and hard to maintain so I have opted to just leverage
|
||||
# the built-in view role. However if you want total control over permissions
|
||||
# you can use these instead
|
||||
# # Limited resource permissions here for tenants to deploy things
|
||||
# - apiGroups:
|
||||
# - ""
|
||||
# resources:
|
||||
# - configmaps
|
||||
# - endpoints
|
||||
# - persistentvolumeclaims
|
||||
# - persistentvolumeclaims/status
|
||||
# - pods
|
||||
# - replicationcontrollers
|
||||
# - replicationcontrollers/scale
|
||||
# - serviceaccounts
|
||||
# - services
|
||||
# - services/status
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
# - apiGroups:
|
||||
# - ""
|
||||
# resources:
|
||||
# - bindings
|
||||
# - events
|
||||
# - limitranges
|
||||
# - namespaces/status
|
||||
# - pods/log
|
||||
# - pods/status
|
||||
# - replicationcontrollers/status
|
||||
# - resourcequotas
|
||||
# - resourcequotas/status
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
# - apiGroups:
|
||||
# - apps
|
||||
# resources:
|
||||
# - controllerrevisions
|
||||
# - daemonsets
|
||||
# - daemonsets/status
|
||||
# - deployments
|
||||
# - deployments/scale
|
||||
# - deployments/status
|
||||
# - replicasets
|
||||
# - replicasets/scale
|
||||
# - replicasets/status
|
||||
# - statefulsets
|
||||
# - statefulsets/scale
|
||||
# - statefulsets/status
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
# - apiGroups:
|
||||
# - ""
|
||||
# - route.openshift.io
|
||||
# resources:
|
||||
# - routes
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
# - apiGroups:
|
||||
# - ""
|
||||
# - route.openshift.io
|
||||
# resources:
|
||||
# - routes/status
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
# - apiGroups:
|
||||
# - networking.k8s.io
|
||||
# resources:
|
||||
# - networkpolicies
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
# - apiGroups:
|
||||
# - rbac.authorization.k8s.io
|
||||
# resources:
|
||||
# - roles
|
||||
# - rolebindings
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
# - apiGroups:
|
||||
# - monitoring.coreos.com
|
||||
# resources:
|
||||
# - servicemonitors
|
||||
# verbs:
|
||||
# - get
|
||||
# - list
|
||||
# - watch
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: gitops-shared-cluster-access
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: gitops-shared-cluster-access
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: argocd-argocd-application-controller
|
||||
namespace: gitops
|
||||
- kind: ServiceAccount
|
||||
name: argocd-argocd-server
|
||||
namespace: gitops
|
||||
- kind: ServiceAccount
|
||||
name: argocd-applicationset-controller
|
||||
namespace: gitops
|
||||
Reference in New Issue
Block a user