This repository has been archived by the owner on Oct 13, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 15
Better RBAC defaults #140
Comments
I'm deploying Faros per namespace, which are used by individual product teams.The RBAC rules ends up looking like the following: apiVersion: v1
kind: ServiceAccount
metadata:
name: faros
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: faros-rw
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- pods
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
- scheduledjobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- faros.pusher.com
resources:
- gittracks
verbs:
- get
- list
- watch
- update
- patch
- apiGroups:
- faros.pusher.com
resources:
- gittrackobjects
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: faros
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: faros
subjects:
- kind: ServiceAccount
name: faros The following cluster-level RBAC rules are required because of #138. apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: faros-ro
rules:
- apiGroups:
- faros.pusher.com
resources:
- clustergittrackobjects
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: product-faros-ro
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: faros-ro
subjects:
- kind: ServiceAccount
name: faros
namespace: product |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
While it will be impossible for us to define all the RBAC rules for any individual cluster, I think we should provide more reasonable defaults. I think the current recommendations run counter to what Faros should be promoting.
The text was updated successfully, but these errors were encountered: