Skip to content

Commit

Permalink
fine tune rbac (#1109)
Browse files Browse the repository at this point in the history 
* fine tune rbac

Signed-off-by: Huamin Chen <[email protected]>

* review feedback

Signed-off-by: Huamin Chen <[email protected]>
  • Loading branch information
@rootfs @google-prow-robot
rootfs authored and google-prow-robot committed Jun 16, 2018
1 parent 174b11f commit 4d497a2
Show file tree
Hide file tree
Showing 2 changed files with 61 additions and 2 deletions.
59 changes: 59 additions & 0 deletions config/200-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-admin
rules:
- apiGroups: [""]
resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services", "events", "serviceaccounts"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses","deployments"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["serving.knative.dev"]
resources: ["configurations", "configurationgenerations", "routes", "revisions", "revisionuids", "autoscalers", "services"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["build.dev"]
resources: ["builds"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["config.istio.io"]
resources: ["routerules"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-write
rules:
- apiGroups: [""]
resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services", "events", "serviceaccounts"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses","deployments"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["serving.knative.dev"]
resources: ["configurations", "configurationgenerations", "routes", "revisions", "revisionuids", "autoscalers", "services"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["build.dev"]
resources: ["builds"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["config.istio.io"]
resources: ["routerules"]
verbs: ["get", "list", "update", "patch", "watch"]
4 changes: 2 additions & 2 deletions config/201-clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ subjects:
namespace: knative-serving-system
roleRef:
kind: ClusterRole
name: cluster-admin
name: knative-serving-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
Expand All @@ -35,5 +35,5 @@ subjects:
namespace: knative-serving-system
roleRef:
kind: ClusterRole
name: cluster-admin
name: knative-serving-write
apiGroup: rbac.authorization.k8s.io

0 comments on commit 4d497a2

Please sign in to comment.