Skip to content

Commit 2b6507d

Browse files
huydinhlehuydinhle
committed
fine-grained rbac for flagger helm
1 parent 535a92e commit 2b6507d

File tree

2 files changed

+134
-10
lines changed

2 files changed

+134
-10
lines changed

artifacts/flagger/account.yaml

+67-5
Original file line numberDiff line numberDiff line change
@@ -13,11 +13,73 @@ metadata:
1313
labels:
1414
app: flagger
1515
rules:
16-
- apiGroups: ['*']
17-
resources: ['*']
18-
verbs: ['*']
19-
- nonResourceURLs: ['*']
20-
verbs: ['*']
16+
- apiGroups:
17+
- ""
18+
resources:
19+
- configmaps
20+
- secrets
21+
- events
22+
verbs:
23+
- create
24+
- get
25+
- patch
26+
- update
27+
- apiGroups:
28+
- ""
29+
resources:
30+
- services
31+
verbs:
32+
- create
33+
- get
34+
- patch
35+
- update
36+
- apiGroups:
37+
- apps
38+
resources:
39+
- deployments
40+
verbs:
41+
- create
42+
- get
43+
- patch
44+
- update
45+
- apiGroups:
46+
- autoscaling
47+
resources:
48+
- horizontalpodautoscalers
49+
verbs:
50+
- create
51+
- get
52+
- patch
53+
- update
54+
- apiGroups:
55+
- flagger.app
56+
resources:
57+
- canaries/status
58+
verbs:
59+
- get
60+
- patch
61+
- update
62+
- apiGroups:
63+
- networking.istio.io
64+
resources:
65+
- virtualservices
66+
verbs:
67+
- create
68+
- get
69+
- patch
70+
- update
71+
- apiGroups:
72+
- flagger.app
73+
resources:
74+
- canaries
75+
verbs:
76+
- get
77+
- list
78+
- watch
79+
- nonResourceURLs:
80+
- /version
81+
verbs:
82+
- get
2183
---
2284
apiVersion: rbac.authorization.k8s.io/v1beta1
2385
kind: ClusterRoleBinding

charts/flagger/templates/rbac.yaml

+67-5
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,73 @@ metadata:
99
app.kubernetes.io/managed-by: {{ .Release.Service }}
1010
app.kubernetes.io/instance: {{ .Release.Name }}
1111
rules:
12-
- apiGroups: ['*']
13-
resources: ['*']
14-
verbs: ['*']
15-
- nonResourceURLs: ['*']
16-
verbs: ['*']
12+
- apiGroups:
13+
- ""
14+
resources:
15+
- configmaps
16+
- secrets
17+
- events
18+
verbs:
19+
- create
20+
- get
21+
- patch
22+
- update
23+
- apiGroups:
24+
- ""
25+
resources:
26+
- services
27+
verbs:
28+
- create
29+
- get
30+
- patch
31+
- update
32+
- apiGroups:
33+
- apps
34+
resources:
35+
- deployments
36+
verbs:
37+
- create
38+
- get
39+
- patch
40+
- update
41+
- apiGroups:
42+
- autoscaling
43+
resources:
44+
- horizontalpodautoscalers
45+
verbs:
46+
- create
47+
- get
48+
- patch
49+
- update
50+
- apiGroups:
51+
- flagger.app
52+
resources:
53+
- canaries/status
54+
verbs:
55+
- get
56+
- patch
57+
- update
58+
- apiGroups:
59+
- networking.istio.io
60+
resources:
61+
- virtualservices
62+
verbs:
63+
- create
64+
- get
65+
- patch
66+
- update
67+
- apiGroups:
68+
- flagger.app
69+
resources:
70+
- canaries
71+
verbs:
72+
- get
73+
- list
74+
- watch
75+
- nonResourceURLs:
76+
- /version
77+
verbs:
78+
- get
1779
---
1880
apiVersion: rbac.authorization.k8s.io/v1beta1
1981
kind: ClusterRoleBinding

0 commit comments

Comments
 (0)