Skip to content

Commit 626013f

Browse files
JoibelJoibel
committed
Restrict RBAC permissions
1 parent 2421f1e commit 626013f

File tree

5 files changed

+55
-25
lines changed

5 files changed

+55
-25
lines changed

deploy/cluster_role.yaml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: ext-postgres-operator
5+
rules:
6+
- apiGroups:
7+
- ""
8+
resources:
9+
- secrets
10+
verbs:
11+
- '*'
12+
- apiGroups:
13+
- apps
14+
resourceNames:
15+
- ext-postgres-operator
16+
resources:
17+
- deployments/finalizers
18+
verbs:
19+
- update
20+
- apiGroups:
21+
- db.movetokube.com
22+
resources:
23+
- '*'
24+
verbs:
25+
- '*'
26+
- apiGroups:
27+
- monitoring.coreos.com
28+
resources:
29+
- servicemonitors
30+
verbs:
31+
- '*'

deploy/cluster_role_binding.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
kind: ClusterRoleBinding
2+
apiVersion: rbac.authorization.k8s.io/v1
3+
metadata:
4+
name: ext-postgres-operator
5+
subjects:
6+
- kind: ServiceAccount
7+
name: ext-postgres-operator
8+
roleRef:
9+
kind: ClusterRole
10+
name: ext-postgres-operator
11+
apiGroup: rbac.authorization.k8s.io

deploy/kustomization.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ resources:
77
- crds/db.movetokube.com_postgres_crd.yaml
88
- crds/db.movetokube.com_postgresusers_crd.yaml
99
- operator.yaml
10+
- cluster_role.yaml
11+
- cluster_role_binding.yaml
1012
- role.yaml
1113
- role_binding.yaml
1214
- service_account.yaml

deploy/role.yaml

Lines changed: 9 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1,40 +1,26 @@
11
apiVersion: rbac.authorization.k8s.io/v1
2-
kind: ClusterRole
2+
kind: Role
33
metadata:
44
name: ext-postgres-operator
55
rules:
66
- apiGroups:
77
- ""
88
resources:
9-
- pods
10-
- services
11-
- endpoints
12-
- persistentvolumeclaims
13-
- events
149
- configmaps
1510
- secrets
11+
- services
1612
verbs:
1713
- '*'
1814
- apiGroups:
19-
- apps
20-
resources:
21-
- deployments
22-
- daemonsets
23-
- replicasets
24-
- statefulsets
25-
verbs:
26-
- '*'
27-
- apiGroups:
28-
- apps
29-
resourceNames:
30-
- ext-postgres-operator
15+
- ""
3116
resources:
32-
- deployments/finalizers
17+
- pods
3318
verbs:
34-
- update
19+
- 'get'
3520
- apiGroups:
36-
- db.movetokube.com
21+
- "apps"
3722
resources:
38-
- '*'
23+
- replicasets
24+
- deployments
3925
verbs:
40-
- '*'
26+
- 'get'

deploy/role_binding.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
1-
kind: ClusterRoleBinding
1+
kind: RoleBinding
22
apiVersion: rbac.authorization.k8s.io/v1
33
metadata:
44
name: ext-postgres-operator
55
subjects:
66
- kind: ServiceAccount
77
name: ext-postgres-operator
88
roleRef:
9-
kind: ClusterRole
9+
kind: Role
1010
name: ext-postgres-operator
1111
apiGroup: rbac.authorization.k8s.io

0 commit comments

Comments
 (0)