fine tune rbac

Signed-off-by: Huamin Chen <[email protected]>
knative · Jun 8, 2018 · 5d3ebf2 · 5d3ebf2
1 parent 8032a9d
commit 5d3ebf2
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 3 deletions.
diff --git a/config/200-clusterrole.yaml b/config/200-clusterrole.yaml
@@ -0,0 +1,89 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: knative-serving-admin
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses","deployments"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["admissionregistrations.k8s.io"]
+    resources: ["mutatingWebhookConfigurations"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["serving.knative.dev"]
+    resources: ["configurations", "configurationGenerations", "routes", "revisions", "revisionUIDs", "autoscalers", "services"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["build.dev"]
+    resources: ["builds", "buildtemplates"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
+  - apiGroups: ["feeds.knative.dev"]
+    resources: ["eventsources", "eventtypes", "binds"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]    
+---    
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: knative-serving-write
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses","deployments"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["admissionregistrations.k8s.io"]
+    resources: ["mutatingWebhookConfigurations"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["serving.knative.dev"]
+    resources: ["configurations", "configurationGenerations", "routes", "revisions", "revisionUIDs", "autoscalers", "services"]
+    verbs: ["get", "list", "update", "patch", "watch"]
+  - apiGroups: ["build.dev"]
+    resources: ["builds", "buildtemplates"]
+    verbs: ["get", "list", "update", "patch", "watch"]    
+  - apiGroups: ["feeds.knative.dev"]
+    resources: ["eventsources", "eventtypes", "binds"]
+    verbs: ["get", "list", "update", "patch", "watch"]    
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: knative-serving-read
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["extensions"]
+    resources: ["ingresses","deployments"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["admissionregistrations.k8s.io"]
+    resources: ["mutatingWebhookConfigurations"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["serving.knative.dev"]
+    resources: ["configurations", "configurationGenerations", "routes", "revisions", "revisionUIDs", "autoscalers", "services"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["build.dev"]
+    resources: ["builds", "buildtemplates"]
+    verbs: ["get", "list", "watch"]    
+  - apiGroups: ["feeds.knative.dev"]
+    resources: ["eventsources", "eventtypes", "binds"]
+    verbs: ["get", "list", "watch"]    
diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml
@@ -22,7 +22,7 @@ subjects:
     namespace: knative-serving-system
 roleRef:
   kind: ClusterRole
-  name: cluster-admin
+  name: knative-serving-admin
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -35,7 +35,7 @@ subjects:
     namespace: knative-serving-system
 roleRef:
   kind: ClusterRole
-  name: cluster-admin
+  name: knative-serving-write
   apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
@@ -48,5 +48,5 @@ subjects:
     namespace: default
 roleRef:
   kind: ClusterRole
-  name: cluster-admin  # TODO(josephburnett): reduce this role to read-only
+  name: knative-serving-read  # TODO(josephburnett): reduce this role to read-only
   apiGroup: rbac.authorization.k8s.io