Skip to content

Instantly share code, notes, and snippets.

@konstan

konstan/gist:ebcc78ece247a6febc3d1da8176b04c5

Created May 28, 2024 07:36
Show Gist options
  • Save konstan/ebcc78ece247a6febc3d1da8176b04c5 to your computer and use it in GitHub Desktop.
Save konstan/ebcc78ece247a6febc3d1da8176b04c5 to your computer and use it in GitHub Desktop.
Download ZIP
Roles and ClusterRoles definitions for NuvlaEdge (experiment)
Raw
gistfile1.txt
ROLES_MANIFEST = '''
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {namespace}
name: serviceaccount-getter
rules:
- apiGroups: [""]
resources: ["*"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: serviceaccount-getter-binding
namespace: {namespace}
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: serviceaccount-getter
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {namespace}
name: secret-creator
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: secret-creator-binding
namespace: {namespace}
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: secret-creator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {namespace}
name: resource-creator
rules:
- apiGroups: [""]
resources: ["serviceaccounts", "services"]
verbs: ["create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: resource-creator-binding
namespace: {namespace}
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: resource-creator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: {namespace}
name: deployment-getter
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: deployment-getter-binding
namespace: {namespace}
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: Role
name: deployment-getter
apiGroup: rbac.authorization.k8s.io
'''
CLUSTER_ROLES_MANIFEST = '''
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-creator
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-creator-binding
subjects:
- kind: ServiceAccount
name: default
namespace: {namespace}
roleRef:
kind: ClusterRole
name: namespace-creator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-creator
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: namespace-creator-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: namespace-creator
apiGroup: rbac.authorization.k8s.io
'''
@konstan
Copy link
Author

konstan commented May 28, 2024

It was part of this PR nuvla/job-engine#354

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment