operator: envoyfleet manager role (#108)

kubeshop · Nov 18, 2021 · 9d15203 · 9d15203
1 parent f38bccc
commit 9d15203
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 1 deletion.
diff --git a/config/rbac/envoyfleet_manager_role.yaml b/config/rbac/envoyfleet_manager_role.yaml
@@ -0,0 +1,33 @@
+# permissions to do manage Envoy Fleets
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: envoyfleet-manager-role
+rules:
+  - apiGroups:
+      - "apps"
+    resources:
+      - deployments
+      - services
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+      - configmaps
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
diff --git a/config/rbac/envoyfleet_manager_role_binding.yaml b/config/rbac/envoyfleet_manager_role_binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: envoyfleet-manager-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: envoyfleet-manager-role
+subjects:
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -9,6 +9,8 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- envoyfleet_manager_role.yaml
+- envoyfleet_manager_role_binding.yaml
 # Comment the following 4 lines if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -5,7 +5,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: cluster-admin
+  name: manager-role
 subjects:
 - kind: ServiceAccount
   name: controller-manager