Permission Manager
crd.yaml
YAML
apiVersion: "apiextensions.k8s.io/v1"
kind: "CustomResourceDefinition"
metadata:
name: "permissionmanagerusers.permissionmanager.user"
spec:
group: "permissionmanager.user"
versions:
- name: "v1alpha1"
served: true
storage: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
name:
type: string
minLength: 2
scope: "Cluster"
names:
plural: "permissionmanagerusers"
singular: "permissionmanageruser"
kind: "Permissionmanageruser"
Deployment and more
YAML
---
apiVersion: v1
kind: Service
metadata:
namespace: permission-manager
name: permission-manager
spec:
selector:
app: permission-manager
ports:
- protocol: TCP
port: 4000
targetPort: 4000
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: permission-manager
name: permission-manager
labels:
app: permission-manager
spec:
replicas: 1
selector:
matchLabels:
app: permission-manager
template:
metadata:
labels:
app: permission-manager
spec:
serviceAccountName: permission-manager
containers:
- name: permission-manager
image: quay.io/sighup/permission-manager:v1.9.0
ports:
- containerPort: 4000
env:
- name: NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- secretRef:
name: permission-manager
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: permission-manager
namespace: permission-manager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: permission-manager
rules:
# Allow full management of all the Permission Manager resources
- apiGroups: ["permissionmanager.user"]
resources:
- "*"
verbs: ["get", "list", "create", "update", "delete", "watch"]
# Allow full management of the RBAC resources
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "clusterrolebindings"
- "clusterroles"
- "rolebindings"
- "roles"
verbs: ["get", "list", "create", "update", "delete", "bind", "watch"]
- apiGroups: [""]
resources:
- "serviceaccounts"
- "secrets"
verbs: ["get", "list", "create", "update", "delete", "watch"]
# Allow full management of certificates CSR, including their approval
- apiGroups: ["certificates.k8s.io"]
resources:
- "certificatesigningrequests"
- "certificatesigningrequests/approval"
verbs: ["get", "list", "create", "update", "delete", "watch"]
# Support legacy versions, before signerName was added
# (see https://github.com/kubernetes/kubernetes/pull/88246)
- apiGroups: ["certificates.k8s.io"]
resources:
- "signers"
resourceNames:
- "kubernetes.io/legacy-unknown"
- "kubernetes.io/kube-apiserver-client"
verbs: ["approve"]
# Allow to get and list Namespaces
- apiGroups: [""]
resources:
- "namespaces"
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: permission-manager
roleRef:
kind: ClusterRole
name: permission-manager
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: permission-manager
namespace: permission-manager
namespace.yaml
YAML
apiVersion: v1
kind: Namespace
metadata:
name: permission-manager
labels:
name: permission-manager
secret
YAML
---
apiVersion: v1
kind: Secret
metadata:
name: permission-manager
namespace: permission-manager
type: Opaque
stringData:
PORT: "4000" # port where server is exposed
CLUSTER_NAME: "k3s-cluster" # name of the cluster to use in the generated kubeconfig file
CONTROL_PLANE_ADDRESS: "https://k3s.urdomen.dev:6443" # full address of the control plane to use in the generated kubeconfig file
BASIC_AUTH_PASSWORD: "passWordHere" # password used by basic auth (username is `admin`)
seed.yaml
YAML
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: template-namespaced-resources___operation
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: template-namespaced-resources___developer
rules:
- apiGroups:
- "*"
resources:
- "configmaps"
- "endpoints"
- "persistentvolumeclaims"
- "pods"
- "pods/log"
- "pods/portforward"
- "podtemplates"
- "replicationcontrollers"
- "resourcequotas"
- "secrets"
- "services"
- "events"
- "daemonsets"
- "deployments"
- "replicasets"
- "ingresses"
- "networkpolicies"
- "poddisruptionbudgets"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: template-cluster-resources___read-only
rules:
# yamllint disable-line rule:line-length
# INIT: Copied from https://github.com/lensapp/lens/pull/644/files#diff-e8fd9c95df786da51f13c3a7442a1d88b3ac4294b786bc268ac92a4072bf50e7R5-R198
# Solves issue #43 with the PR #45
- nonResourceURLs:
- /metrics
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- componentstatuses
- configmaps
- endpoints
- events
- limitranges
- namespaces
- namespaces/finalize
- namespaces/status
- nodes
- nodes/proxy
- nodes/status
- persistentvolumeclaims
- persistentvolumeclaims/status
- persistentvolumes
- persistentvolumes/status
- pods
- pods/attach
- pods/binding
- pods/eviction
- pods/exec
- pods/log
- pods/proxy
- pods/status
- podtemplates
- replicationcontrollers
- replicationcontrollers/scale
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- serviceaccounts
- services
- services/proxy
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- list
- get
- watch
- apiGroups:
- batch
resources:
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csidrivers
- csinodes
- storageclasses
- volumeattachments
- volumeattachments/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
- apiservices/status
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
- podsecuritypolicies
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs:
- get
- list
- watch
# END
- apiGroups:
- "*"
resources:
- "componentstatuses"
- "namespaces"
- "nodes"
- "persistentvolumes"
- "mutatingwebhookconfigurations"
- "validatingwebhookconfigurations"
- "customresourcedefinitions"
- "apiservices"
- "tokenreviews"
- "selfsubjectaccessreviews"
- "selfsubjectrulesreviews"
- "subjectaccessreviews"
- "certificatesigningrequests"
- "runtimeclasses"
- "podsecuritypolicies"
- "clusterrolebindings"
- "clusterroles"
- "priorityclasses"
- "csidrivers"
- "csinodes"
- "storageclasses"
- "volumeattachment"
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: template-cluster-resources___admin
rules:
# yamllint disable-line rule:line-length
# INIT: Copied from https://github.com/lensapp/lens/pull/644/files#diff-e8fd9c95df786da51f13c3a7442a1d88b3ac4294b786bc268ac92a4072bf50e7R5-R198
# Solves issue #43 with the PR #45
- nonResourceURLs:
- /metrics
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- componentstatuses
- configmaps
- endpoints
- events
- limitranges
- namespaces
- namespaces/finalize
- namespaces/status
- nodes
- nodes/proxy
- nodes/status
- persistentvolumeclaims
- persistentvolumeclaims/status
- persistentvolumes
- persistentvolumes/status
- pods
- pods/attach
- pods/binding
- pods/eviction
- pods/exec
- pods/log
- pods/proxy
- pods/status
- podtemplates
- replicationcontrollers
- replicationcontrollers/scale
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
- serviceaccounts
- services
- services/proxy
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- list
- get
- watch
- apiGroups:
- batch
resources:
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csidrivers
- csinodes
- storageclasses
- volumeattachments
- volumeattachments/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- apiGroups:
- node.k8s.io
resources:
- runtimeclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
- ingresses/status
verbs:
- get
- list
- watch
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list
- watch
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
- apiservices/status
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
- podsecuritypolicies
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
- rolebindings
- roles
verbs:
- get
- list
- watch
# END
- apiGroups:
- "*"
resources:
- "componentstatuses"
- "namespaces"
- "nodes"
- "persistentvolumes"
- "mutatingwebhookconfigurations"
- "validatingwebhookconfigurations"
- "customresourcedefinitions"
- "apiservices"
- "tokenreviews"
- "selfsubjectaccessreviews"
- "selfsubjectrulesreviews"
- "subjectaccessreviews"
- "certificatesigningrequests"
- "runtimeclasses"
- "podsecuritypolicies"
- "clusterrolebindings"
- "clusterroles"
- "priorityclasses"
- "csidrivers"
- "csinodes"
- "storageclasses"
- "volumeattachment"
verbs: ["*"]