Skip to content

Instantly share code, notes, and snippets.

@jicowan

jicowan/.yaml

Last active November 23, 2021 01:38
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jicowan/c41308cb4de93cd1878f7dc9b3c1ab71 to your computer and use it in GitHub Desktop.
Save jicowan/c41308cb4de93cd1878f7dc9b3c1ab71 to your computer and use it in GitHub Desktop.
Download ZIP
RBAC
Raw
.yaml
kind: Namespace
apiVersion: v1
metadata:
name: sock-shop
---
kind: Namespace
apiVersion: v1
metadata:
name: polaris
---
kind: Namespace
apiVersion: v1
metadata:
name: falco
---
kind: Namespace
apiVersion: v1
metadata:
name: cert-manager
---
kind: Namespace
apiVersion: v1
metadata:
name: amazon-cloudwatch
---
kind: Namespace
apiVersion: v1
metadata:
name: gatekeeper
---
kind: Namespace
apiVersion: v1
metadata:
name: security-profiles-operator
---
kind: Namespace
apiVersion: v1
metadata:
name: seccomp-test
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: allow-all-cluster-role
rules:
- apiGroups:
- ""
resources:
- componentstatuses
- pods
- endpoints
- events
- limitranges
- bindings
- persistentvolumes
- nodes
- replicationcontrollers
- podtemplates
- secrets
- services
- configmaps
- resourcequotas
- serviceaccounts
- persistentvolumeclaims
- namespaces
verbs:
- '*'
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- controllerrevisions
- replicasets
- daemonsets
- statefulsets
verbs:
- '*'
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- '*'
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- '*'
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
- subjectaccessreviews
- selfsubjectrulesreviews
- selfsubjectaccessreviews
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
verbs:
- '*'
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- '*'
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- policy
resources:
- podsecuritypolicies
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
- clusterrolebindings
- clusterroles
verbs:
- '*'
- apiGroups:
- storage.k8s.io
resources:
- csinodes
- storageclasses
- volumeattachments
- csidrivers
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- '*'
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- '*'
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- prioritylevelconfigurations
- flowschemas
verbs:
- '*'
- apiGroups:
- config.gatekeeper.sh
resources:
- configs
verbs:
- '*'
- apiGroups:
- crd.k8s.amazonaws.com
resources:
- eniconfigs
verbs:
- '*'
- apiGroups:
- eks.services.k8s.aws
resources:
- clusters
- fargateprofiles
- nodegroups
- addons
verbs:
- '*'
- apiGroups:
- elbv2.k8s.aws
resources:
- targetgroupbindings
- ingressclassparams
verbs:
- '*'
- apiGroups:
- mutations.gatekeeper.sh
resources:
- assignmetadata
- assign
verbs:
- '*'
- apiGroups:
- services.k8s.aws
resources:
- adoptedresources
verbs:
- '*'
- apiGroups:
- templates.gatekeeper.sh
resources:
- constrainttemplates
verbs:
- '*'
- apiGroups:
- status.gatekeeper.sh
resources:
- constraintpodstatuses
- constrainttemplatepodstatuses
- mutatorpodstatuses
verbs:
- '*'
- apiGroups:
- vpcresources.k8s.aws
resources:
- securitygrouppolicies
verbs:
- '*'
- apiGroups:
- metrics.k8s.io
resources:
- nodes
- pods
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deny-secrets-cluster-role
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
- endpoints
- replicationcontrollers
- services
- bindings
- nodes
- persistentvolumeclaims
- podtemplates
- persistentvolumes
- resourcequotas
- configmaps
- events
- componentstatuses
- limitranges
- namespaces
- pods
verbs:
- '*'
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- '*'
- apiGroups:
- apps
resources:
- replicasets
- deployments
- controllerrevisions
- daemonsets
- statefulsets
verbs:
- '*'
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- '*'
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- '*'
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
- localsubjectaccessreviews
- selfsubjectrulesreviews
- subjectaccessreviews
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- '*'
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- '*'
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingressclasses
- networkpolicies
verbs:
- '*'
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- '*'
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- '*'
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- roles
- clusterrolebindings
- rolebindings
verbs:
- '*'
- apiGroups:
- storage.k8s.io
resources:
- volumeattachments
- csinodes
- csidrivers
- storageclasses
verbs:
- '*'
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- '*'
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- '*'
- apiGroups:
- flowcontrol.apiserver.k8s.io
resources:
- flowschemas
- prioritylevelconfigurations
verbs:
- '*'
- apiGroups:
- crd.k8s.amazonaws.com
resources:
- eniconfigs
verbs:
- '*'
- apiGroups:
- vpcresources.k8s.aws
resources:
- securitygrouppolicies
verbs:
- '*'
- apiGroups:
- ""
resources:
- secrets
verbs:
- 'list'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: catch-all
rules:
- apiGroups:
- ""
resources:
- namespaces
- nodes
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-kube-system
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-amazon-cloudwatch
namespace: amazon-cloudwatch
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-default
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-cert-manager
namespace: cert-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-falco
namespace: falco
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-gatekeeper
namespace: gatekeeper
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-polaris
namespace: polaris
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-security-profiles-operator
namespace: security-profiles-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: allow-all-seccomp-test
namespace: seccomp-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: allow-all-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: deny-secrets
namespace: sock-shop
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: deny-secrets-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: catch-all
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: catch-all
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: pseudo-admin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment