This is an automated email from the ASF dual-hosted git repository.
nicknezis pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-heron.git
The following commit(s) were added to refs/heads/master by this push:
new a3cda19 Stop using "cluster admin" role and restrict to k8s namespace
(#3618)
a3cda19 is described below
commit a3cda1954a34bf0d4cff3aade826e9f35a493c05
Author: Scott <[email protected]>
AuthorDate: Mon Sep 21 00:00:55 2020 -0400
Stop using "cluster admin" role and restrict to k8s namespace (#3618)
---
deploy/kubernetes/helm/templates/tools.yaml | 41 +++++++++++++++++++++++++----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/deploy/kubernetes/helm/templates/tools.yaml
b/deploy/kubernetes/helm/templates/tools.yaml
index dfa63e5..7632485 100644
--- a/deploy/kubernetes/helm/templates/tools.yaml
+++ b/deploy/kubernetes/helm/templates/tools.yaml
@@ -217,22 +217,53 @@ metadata:
k8s-app: {{ .Release.Name }}-apiserver
---
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
metadata:
name: {{ .Release.Name }}-apiserver
labels:
app: {{ .Release.Name }}-apiserver
roleRef:
apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: cluster-admin
-subjects:
+ kind: Role
+ name: {{ .Release.Name }}-apiserver
+subjects:
- kind: ServiceAccount
name: {{ .Release.Name }}-apiserver
namespace: {{ .Release.Namespace }}
---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ .Release.Name }}-apiserver
+rules:
+- apiGroups:
+ - apps
+ resources:
+ - statefulsets
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+- apiGroups:
+ - ""
+ resources:
+ - services
+ verbs:
+ - create
+ - delete
+ - get
+ - list
+ - patch
+ - update
+ - watch
+
+---
apiVersion: v1
kind: Service
metadata:
