Open terinjokes opened 5 years ago
I'm deploying Faros per namespace, which are used by individual product teams.The RBAC rules ends up looking like the following:
apiVersion: v1
kind: ServiceAccount
metadata:
name: faros
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: faros-rw
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- faros.pusher.com
resources:
- gittracks
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- faros.pusher.com
resources:
- gittrackobjects
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: faros
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: faros
subjects:
- kind: ServiceAccount
name: faros
The following cluster-level RBAC rules are required because of #138.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: faros-ro
rules:
- apiGroups:
- faros.pusher.com
resources:
- clustergittrackobjects
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: product-faros-ro
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: faros-ro
subjects:
- kind: ServiceAccount
name: faros
namespace: product
While it will be impossible for us to define all the RBAC rules for any individual cluster, I think we should provide more reasonable defaults. I think the current recommendations run counter to what Faros should be promoting.