Merge pull request #9675 from zalando-incubator/kubernetes-resource-analyzer-secrets

linki · web-flow · commit 3c87ec6c4cfc · 2025-07-14T10:29:19.000+02:00
Allow kubernetes-resource-analyzer to read secrets
diff --git a/cluster/manifests/roles/kubernetes-resource-analyzer.yaml b/cluster/manifests/roles/kubernetes-resource-analyzer.yaml
@@ -13,3 +13,36 @@ subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
   name: zalando-iam:zalando:service:stups_kubernetes
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubernetes-resource-analyzer-secrets
+  labels:
+    application: kubernetes
+    component: resource-analyzer
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-resource-analyzer-secrets
+  labels:
+    application: kubernetes
+    component: resource-analyzer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-resource-analyzer-secrets
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: zalando-iam:zalando:service:stups_kubernetes
