fine-grained rbac for flagger helm

fluxcd · Mar 5, 2019 · 2b6507d · 2b6507d
1 parent 535a92e
commit 2b6507d
Show file tree

Hide file tree

Showing 2 changed files with 134 additions and 10 deletions.
diff --git a/artifacts/flagger/account.yaml b/artifacts/flagger/account.yaml
@@ -13,11 +13,73 @@ metadata:
   labels:
     app: flagger
 rules:
-- apiGroups: ['*']
-  resources: ['*']
-  verbs: ['*']
-- nonResourceURLs: ['*']
-  verbs: ['*']
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - events
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - flagger.app
+  resources:
+  - canaries/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - virtualservices
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - flagger.app
+  resources:
+  - canaries
+  verbs:
+  - get
+  - list
+  - watch
+- nonResourceURLs:
+  - /version
+  verbs:
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding

diff --git a/charts/flagger/templates/rbac.yaml b/charts/flagger/templates/rbac.yaml
@@ -9,11 +9,73 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 rules:
-- apiGroups: ['*']
-  resources: ['*']
-  verbs: ['*']
-- nonResourceURLs: ['*']
-  verbs: ['*']
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - events
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - flagger.app
+  resources:
+  - canaries/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - virtualservices
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - flagger.app
+  resources:
+  - canaries
+  verbs:
+  - get
+  - list
+  - watch
+- nonResourceURLs:
+  - /version
+  verbs:
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding