fine-grained rbac for flagger helm

huydinhle · huydinhle · commit 1b99f3f71d05 · 2019-03-05T11:27:43.000-08:00
diff --git a/charts/flagger/templates/rbac.yaml b/charts/flagger/templates/rbac.yaml
@@ -9,11 +9,73 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
 rules:
-- apiGroups: ['*']
-  resources: ['*']
-  verbs: ['*']
-- nonResourceURLs: ['*']
-  verbs: ['*']
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  - events
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - autoscaling
+  resources:
+  - horizontalpodautoscalers
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - flagger.app
+  resources:
+  - canaries/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - networking.istio.io
+  resources:
+  - virtualservices
+  verbs:
+  - create
+  - get
+  - patch
+  - update
+- apiGroups:
+  - flagger.app
+  resources:
+  - canaries
+  verbs:
+  - get
+  - list
+  - watch
+- nonResourceURLs:
+  - /version
+  verbs:
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
