Commit dd767815 authored by Edmund Ochieng's avatar Edmund Ochieng

add custom rbac for gitlab and runner

parent 6f2dcf23
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: gitlab-backup
rules:
- apiGroups:
- ""
resources:
- secrets
- pods
- events
- services
- services/status
- services/proxy
- services/finalizers
- resourcequotas
- pods/attach
- pods/exec
- pods/log
- persistentvolumeclaims
- configmaps
verbs:
- create
- get
- list
- watch
- delete
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- get
- update
- delete
- watch
- list
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-backup
subjects:
- kind: ServiceAccount
name: gitlab-backup
namespace: gitlab-operator
roleRef:
kind: ClusterRole
name: gitlab-backup
apiGroup: rbac.authorization.k8s.io
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: gitlab-backup
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: gitlab
rules:
- apiGroups:
- security.openshift.io
resources:
- securitycontextconstraints
resourceNames:
- anyuid
verbs:
- use
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab
subjects:
- kind: ServiceAccount
name: gitlab
namespace: gitlab-operator
roleRef:
kind: ClusterRole
name: gitlab
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: gitlab-runner
rules:
- apiGroups:
- ""
resources:
- secrets
- pods
- events
- services
- services/status
- services/proxy
- services/finalizers
- resourcequotas
- pods/attach
- pods/exec
- pods/log
- persistentvolumeclaims
- configmaps
verbs:
- create
- get
- list
- watch
- delete
- patch
- update
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-runner
subjects:
- kind: ServiceAccount
name: gitlab-runner
namespace: gitlab-operator
roleRef:
kind: ClusterRole
name: gitlab-runner
apiGroup: rbac.authorization.k8s.io
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: gitlab-runner
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: gitlab
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: null
name: gitlab-operator
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: gitlab-operator
subjects:
- kind: ServiceAccount
name: gitlab-operator
namespace: gitlab-operator
roleRef:
kind: ClusterRole
name: gitlab-operator
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: gitlab-operator
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- services
- services/finalizers
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resourceNames:
- gitlab-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- deployments
verbs:
- get
- apiGroups:
- apps.gitlab.com
resources:
- '*'
- runners
- backups
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- create
- list
- get
- watch
- delete
- apiGroups:
- route.openshift.io
resources:
- routes
- routes/custom-host
verbs:
- create
- get
- list
- watch
- delete
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
- prometheuses
verbs:
- list
- create
- get
- watch
- delete
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- list
- get
- delete
- watch
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- create
- get
- update
- delete
- watch
- list
- apiGroups:
- miniocontroller.min.io
resources:
- minioinstances
verbs:
- create
- list
- watch
- delete
- update
- patch
- apiGroups:
- cert-manager.io
resources:
- issuers
- certificates
verbs:
- create
- get
- list
- delete
- watch
- patch
- update
- apiGroups:
- k8s.nginx.org
resources:
- nginxingresscontrollers
verbs:
- create
- update
- patch
- list
- get
- delete
- watch
......@@ -10,3 +10,15 @@ resources:
- auth_proxy_role.yaml
- auth_proxy_role_binding.yaml
- auth_proxy_client_clusterrole.yaml
# Build Custom RBAC service accounts and roles
- custom/gitlab_backup_role_binding.yaml
- custom/gitlab_backup_role.yaml
- custom/gitlab_backup_serviceaccount.yaml
- custom/gitlab_role_binding.yaml
- custom/gitlab_role.yaml
- custom/gitlab_runner_role_binding.yaml
- custom/gitlab_runner_role.yaml
- custom/gitlab_runner_serviceaccount.yaml
- custom/gitlab_service_account.yaml
- custom/rbac_gitlab_operator.yaml
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment