federated.yaml

# Create a service account for the federated control plane
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: federated-controller-1
---

# These are the two namespaces we're going to give the federated control plane
# access to. We could explicitly grant it the ability to create only these
# namespaces, but that'd be an extra ClusterRole and ClusterRoleBinding. Instead
# just create the namespaces for it.
apiVersion: v1
kind: Namespace
metadata:
  name: federated-ns-1
---
apiVersion: v1
kind: Namespace
metadata:
  name: federated-ns-2
---

# General role for federated controllers. We explicitly omit namespaces here
# since we want to restrict the controller to only a few namespaces.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: federated-controllers
rules:
- apiGroups: [""]
  resources:
  - configmaps
  - deamonsets
  - secrets
  - replicasets
  verbs: ["*"]
- apiGroups: ["extensions"]
  resource:
  - deployments
  - ingress
---

# Create role bindings in each namespace to grant powers in those namespaces.
#
# Since the only difference is the namespace, it'd be easy to generate these.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: federated-controller-1
  namespace: federated-ns-1
subjects:
- kind: ServiceAccount
  name: federated-controller-1
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: federated-controllers
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
  name: federated-controller-1
  namespace: federated-ns-2
subjects:
- kind: ServiceAccount
  name: federated-controller-1
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: federated-controllers
---

# Now we can apply resource quotas and pod security policies to those namespaces.