Created
March 25, 2020 16:03
-
-
Save joshrosso/da90078c8382f0920489a43aa8313f54 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Creates service account, set to kube-system below. Will need to be created | |
# per-namespace if RoleBinding appraoch is used (see below) | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: jenkins | |
namespace: kube-system | |
--- | |
# privileges referencable by rolebindings (namespace scoped) or | |
# clusterrolebindings (cluster scoped). | |
kind: ClusterRole | |
apiVersion: rbac.authorization.k8s.io/v1 | |
metadata: | |
name: jenkins | |
rules: | |
- apiGroups: [""] | |
resources: | |
- pods | |
- deployments | |
- statefulsets | |
verbs: | |
- create | |
- get | |
- list | |
- watch | |
--- | |
# Give one service account, per namespace, the ability to operate on just its | |
# namespace. This will require a service account per namespace but is more | |
# secure. | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: RoleBinding | |
metadata: | |
name: jenkins | |
namespace: todo | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: Role | |
name: jenkins | |
subjects: | |
- kind: ServiceAccount | |
name: jenkins | |
--- | |
# Give one service account, in kube-system, ability to operate across the | |
# cluster. | |
apiVersion: rbac.authorization.k8s.io/v1 | |
kind: ClusterRoleBinding | |
metadata: | |
name: jenkins | |
roleRef: | |
apiGroup: rbac.authorization.k8s.io | |
kind: ClusterRole | |
name: system:node | |
subjects: | |
- kind: ServiceAccount | |
name: jenkins | |
namespace: kube-system |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment