nicerobot/ambassador-rbac.yaml

## ambassador-rbac.yaml
---
apiVersion: v1
kind: Service
metadata:
  labels:
    service: ambassador-admin
  name: ambassador-admin
spec:
  type: NodePort
  ports:
  - name: ambassador-admin
    port: 8877
    targetPort: 8877
  selector:
    service: ambassador
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: ambassador
rules:
- apiGroups: [""]
  resources:
  - services
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:
  - configmaps
  verbs: ["create", "update", "patch", "get", "list", "watch"]
- apiGroups: [""]
  resources:
  - secrets
  verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: ambassador
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: ambassador
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: ambassador
subjects:
- kind: ServiceAccount
  name: ambassador
  namespace: default
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: ambassador
spec:
  replicas: 1
  template:
    metadata:
      labels:
        service: ambassador
    spec:
      serviceAccountName: ambassador
      containers:
      - name: ambassador
        image: datawire/ambassador:0.21.0
        imagePullPolicy: Always
        resources:
          limits:
            cpu: 1
            memory: 400Mi
          requests:
            cpu: 200m
            memory: 100Mi
        env:
        - name: AMBASSADOR_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        livenessProbe:
          httpGet:
            path: /ambassador/v0/check_alive
            port: 8877
          initialDelaySeconds: 3
          periodSeconds: 3
        readinessProbe:
          httpGet:
            path: /ambassador/v0/check_ready
            port: 8877
          initialDelaySeconds: 3
          periodSeconds: 3
      - name: statsd-sink
        image: datawire/prom-statsd-exporter:0.6.0
      restartPolicy: Always
	---
	apiVersion: v1
	kind: Service
	metadata:
	labels:
	service: ambassador-admin
	name: ambassador-admin
	spec:
	type: NodePort
	ports:
	- name: ambassador-admin
	port: 8877
	targetPort: 8877
	selector:
	service: ambassador
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRole
	metadata:
	name: ambassador
	rules:
	- apiGroups: [""]
	resources:
	- services
	verbs: ["get", "list", "watch"]
	- apiGroups: [""]
	resources:
	- configmaps
	verbs: ["create", "update", "patch", "get", "list", "watch"]
	- apiGroups: [""]
	resources:
	- secrets
	verbs: ["get", "list", "watch"]
	---
	apiVersion: v1
	kind: ServiceAccount
	metadata:
	name: ambassador
	---
	apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRoleBinding
	metadata:
	name: ambassador
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: ambassador
	subjects:
	- kind: ServiceAccount
	name: ambassador
	namespace: default
	---
	apiVersion: extensions/v1beta1
	kind: Deployment
	metadata:
	name: ambassador
	spec:
	replicas: 1
	template:
	metadata:
	labels:
	service: ambassador
	spec:
	serviceAccountName: ambassador
	containers:
	- name: ambassador
	image: datawire/ambassador:0.21.0
	imagePullPolicy: Always
	resources:
	limits:
	cpu: 1
	memory: 400Mi
	requests:
	cpu: 200m
	memory: 100Mi
	env:
	- name: AMBASSADOR_NAMESPACE
	valueFrom:
	fieldRef:
	fieldPath: metadata.namespace
	livenessProbe:
	httpGet:
	path: /ambassador/v0/check_alive
	port: 8877
	initialDelaySeconds: 3
	periodSeconds: 3
	readinessProbe:
	httpGet:
	path: /ambassador/v0/check_ready
	port: 8877
	initialDelaySeconds: 3
	periodSeconds: 3
	- name: statsd-sink
	image: datawire/prom-statsd-exporter:0.6.0
	restartPolicy: Always