Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow read-only access ('kubectl get') on rbac roles and rolebindings #49

Merged
merged 1 commit into from
Aug 21, 2024
Merged

Allow read-only access ('kubectl get') on rbac roles and rolebindings #49

merged 1 commit into from
Aug 21, 2024

Conversation

artntek
Copy link
Contributor

@artntek artntek commented Aug 20, 2024

see #48

@artntek
Copy link
Contributor Author

artntek commented Aug 20, 2024

tested in my own namespace on dev cluster.

Before:

## executed as k8s admin:
$ kc get -o yaml -n brooke role brooke
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
## [...etc...]
rules:
- apiGroups:
  - ""
  - networking.k8s.io
  - extensions
  - apps
  - autoscaling
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - '*'

After:

## executed as k8s admin:
$ cat application-context.yaml | SERVICE_ACCOUNT=brooke envsubst | kubectl apply -n brooke -f -
serviceaccount/brooke unchanged
role.rbac.authorization.k8s.io/brooke configured
rolebinding.rbac.authorization.k8s.io/brooke unchanged

$ kc get -o yaml -n brooke role brooke
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
## [...etc...]
rules:
- apiGroups:
  - ""
  - networking.k8s.io
  - extensions
  - apps
  - autoscaling
  resources:
  - '*'
  verbs:
  - '*'
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - '*'
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - roles
  - rolebindings
  verbs:
  - get

(Last 7 lines added)

@mbjones
Copy link
Member

mbjones commented Aug 21, 2024

Looks good to me. Do you have a list of existing service accounts to apply this to to make sure they all have it? And is it worthwhile to automate that process of adding the additional perms to existing service accounts?

@mbjones mbjones added enhancement New feature or request operations labels Aug 21, 2024
mbjones
mbjones approved these changes Aug 21, 2024
View reviewed changes
Copy link
Member

@mbjones mbjones left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This simple addition looks fine.

@mbjones mbjones merged commit 421f9d8 into main Aug 21, 2024
@mbjones mbjones mentioned this pull request Aug 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbjones mbjones mbjones approved these changes

@nickatnceas nickatnceas Awaiting requested review from nickatnceas

@jeanetteclark jeanetteclark Awaiting requested review from jeanetteclark

Assignees
No one assigned
Labels
enhancement New feature or request operations
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@artntek @mbjones