Skip to content
Snippets Groups Projects
Verified Commit 2564bd3d authored by Sheogorath's avatar Sheogorath :european_castle:
Browse files

refactor(apps): Rework flux reconciler permissions 

This patch removes the custom reconciler role and replaces it with the
general admin ClusterRole, this helps to restrict access to only the
save namespace resources.
parent 27ef2bfb
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 16 additions and 96 deletions
apps/base/forecastle/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -17,24 +17,14 @@ metadata: ...@@ -17,24 +17,14 @@ metadata:
namespace: forecastle namespace: forecastle
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: forecastle-reconciler
namespace: forecastle
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: forecastle-reconciler name: forecastle-reconciler
namespace: forecastle namespace: forecastle
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: forecastle-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: forecastle-reconciler name: forecastle-reconciler
......
apps/base/gitlab-runner/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -12,24 +12,14 @@ metadata: ...@@ -12,24 +12,14 @@ metadata:
namespace: gitlab-runner namespace: gitlab-runner
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: gitlab-runner-reconciler
namespace: gitlab-runner
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: gitlab-runner-reconciler name: gitlab-runner-reconciler
namespace: gitlab-runner namespace: gitlab-runner
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: gitlab-runner-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: gitlab-runner-reconciler name: gitlab-runner-reconciler
......
apps/base/goharbor/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -12,24 +12,14 @@ metadata: ...@@ -12,24 +12,14 @@ metadata:
namespace: goharbor namespace: goharbor
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: flux-reconciler
namespace: goharbor
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: flux-reconciler name: flux-reconciler
namespace: goharbor namespace: goharbor
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: flux-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: flux-reconciler name: flux-reconciler
......
apps/base/keycloak/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -10,24 +10,14 @@ metadata: ...@@ -10,24 +10,14 @@ metadata:
namespace: keycloak namespace: keycloak
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: keycloak-reconciler
namespace: keycloak
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: keycloak-reconciler name: keycloak-reconciler
namespace: keycloak namespace: keycloak
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: keycloak-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: keycloak-reconciler name: keycloak-reconciler
......
apps/base/mail/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -10,24 +10,14 @@ metadata: ...@@ -10,24 +10,14 @@ metadata:
namespace: mail namespace: mail
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: flux-reconciler
namespace: mail
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: flux-reconciler name: flux-reconciler
namespace: mail namespace: mail
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: flux-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: flux-reconciler name: flux-reconciler
......
apps/base/matrix/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -12,24 +12,14 @@ metadata: ...@@ -12,24 +12,14 @@ metadata:
namespace: matrix namespace: matrix
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: matrix-reconciler
namespace: matrix
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: matrix-reconciler name: matrix-reconciler
namespace: matrix namespace: matrix
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: matrix-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: matrix-reconciler name: matrix-reconciler
......
apps/base/nextcloud/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -12,24 +12,14 @@ metadata: ...@@ -12,24 +12,14 @@ metadata:
namespace: nextcloud namespace: nextcloud
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nextcloud-reconciler
namespace: nextcloud
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: nextcloud-reconciler name: nextcloud-reconciler
namespace: nextcloud namespace: nextcloud
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: nextcloud-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: nextcloud-reconciler name: nextcloud-reconciler
......
apps/base/renovate/namespace.yaml
+ 2
12
View file @ 2564bd3d
...@@ -17,24 +17,14 @@ metadata: ...@@ -17,24 +17,14 @@ metadata:
namespace: renovate namespace: renovate
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: flux-reconciler
namespace: renovate
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding kind: RoleBinding
metadata: metadata:
name: flux-reconciler name: flux-reconciler
namespace: renovate namespace: renovate
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
kind: Role kind: ClusterRole
name: flux-reconciler name: admin
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: flux-reconciler name: flux-reconciler
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment