Skip to content

Instantly share code, notes, and snippets.

@rantav
Last active December 10, 2019 06:51
Show Gist options
  • Save rantav/029ca86720e9fd16819f1b3e9f49254e to your computer and use it in GitHub Desktop.
Save rantav/029ca86720e9fd16819f1b3e9f49254e to your computer and use it in GitHub Desktop.
Kubernetes RBAC for Spinnaker
# Authorize read-write in the default namespace. Add this Role and the below RoleBinding to every namespace spinnaker deploys artifacts to
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: spinnaker-role
namespace: default
rules:
- apiGroups: [""]
resources: ["namespaces", "events", "replicationcontrollers", "serviceaccounts", "pods/logs"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods", "services", "secrets", "configmaps"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["list", "get"]
- apiGroups: ["apps"]
resources: ["controllerrevisions"]
verbs: ["list"]
- apiGroups: ["extensions", "app"]
resources: ["deployments", "replicasets", "ingresses"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: spinnaker-role-binding
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: spinnaker-role
subjects:
- namespace: spinnaker
kind: ServiceAccount
name: default
---
# Authorize cluster-wide readonly permissions
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
- apiextensions.k8s.io
- crd.k8s.amazonaws.com
- apiregistration.k8s.io
resources:
- componentstatuses
- configmaps
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- cronjobs
- limitranges
- namespaces
- nodes
- pods
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- clusterroles
- clusterrolebindings
- storageclasses
- statefulsets
- secrets
- networkpolicies
- rolebindings
- roles
- pods/log
- poddisruptionbudgets
- customresourcedefinitions
- controllerrevisions
- eniconfigs
- apiservices
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: spinnaker-cluster-read-all
subjects:
- kind: ServiceAccount
name: default
namespace: spinnaker
roleRef:
kind: ClusterRole
name: cluster-read-all
apiGroup: rbac.authorization.k8s.io
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment