├── .gitignore ├── README.md ├── rolebindings ├── default-reader-binding.yaml ├── healthz-rb.yaml ├── kube-proxy-role-binding.yaml ├── kube-system-admin-rb.yaml ├── kube-system-sa-read-all-rb.yaml ├── kubelet-role-binding.yaml ├── sceduler-read-all-rb.yaml ├── scheduler-role-binding.yaml └── service-reader-rb.yaml └── roles ├── cluster-admin.yaml ├── controller-manager.yaml ├── default-reader.yaml ├── healthz-reader-role.yaml ├── kube-proxy-role.yaml ├── kube-system-default-role.yaml ├── kubelet-role.yaml ├── reader-all.yaml └── scheduler-role.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled Object files, Static and Dynamic libs (Shared Objects) 2 | *.o 3 | *.a 4 | *.so 5 | 6 | # Folders 7 | _obj 8 | _test 9 | 10 | # Architecture specific extensions/prefixes 11 | *.[568vq] 12 | [568vq].out 13 | 14 | *.cgo1.go 15 | *.cgo2.c 16 | _cgo_defun.c 17 | _cgo_gotypes.go 18 | _cgo_export.* 19 | 20 | _testmain.go 21 | 22 | *.exe 23 | *.test 24 | *.prof 25 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Cluster RBAC Policies 2 | ======================== 3 | I will list down all the RBAC Policies needed for the functioning of a Kube cluster with only the RBAC Authorizer below on a component by component basis 4 | 5 | **Default Role** 6 | Given to all users in the system, would help in discovery and common read only operations 7 | 8 | ```yaml 9 | kind: ClusterRole 10 | apiVersion: rbac.authorization.k8s.io/v1alpha1 11 | metadata: 12 | name: default-reader 13 | rules: 14 | - apiGroups: [""] 15 | resources: 16 | - componentstatuses 17 | - events 18 | - endpoints 19 | - namespaces 20 | - nodes 21 | - persistentvolumes 22 | - resourcequotas 23 | - services 24 | verbs: ["get", "watch", "list"] 25 | - nonResourceURLs: ["*"] 26 | verbs: ["get", "watch", "list"] 27 | ``` 28 | Appropriate binding would be: 29 | ```yaml 30 | kind: ClusterRoleBinding 31 | apiVersion: rbac.authorization.k8s.io/v1alpha1 32 | metadata: 33 | name: default-reader-role-binding 34 | subjects: 35 | - kind: User 36 | name: "*" 37 | roleRef: 38 | kind: ClusterRole 39 | name: default-reader 40 | apiVersion: rbac.authorization.k8s.io/v1alpha1 41 | ``` 42 | 43 | **Read all** 44 | Can be given to pseudo admins (like schedulers), for readonly operations. Not given by default to anyone. Can read everything except secrets 45 | ```yaml 46 | --- 47 | apiVersion: rbac.authorization.k8s.io/v1alpha1 48 | kind: ClusterRole 49 | metadata: 50 | name: cluster-read-all 51 | rules: 52 | - 53 | apiGroups: 54 | - "" 55 | - apps 56 | - autoscaling 57 | - batch 58 | - extensions 59 | - policy 60 | - rbac.authorization.k8s.io 61 | resources: 62 | - componentstatuses 63 | - configmaps 64 | - daemonsets 65 | - deployments 66 | - events 67 | - endpoints 68 | - horizontalpodautoscalers 69 | - ingress 70 | - jobs 71 | - limitranges 72 | - namespaces 73 | - nodes 74 | - pods 75 | - persistentvolumes 76 | - persistentvolumeclaims 77 | - resourcequotas 78 | - replicasets 79 | - replicationcontrollers 80 | - serviceaccounts 81 | - services 82 | verbs: 83 | - get 84 | - watch 85 | - list 86 | - nonResourceURLs: ["*"] 87 | verbs: 88 | - get 89 | - watch 90 | - list 91 | 92 | ``` 93 | 94 | **Cluster Administrator** 95 | ```yaml 96 | --- 97 | apiVersion: rbac.authorization.k8s.io/v1alpha1 98 | kind: ClusterRole 99 | metadata: 100 | name: cluster-admin-all 101 | rules: 102 | - 103 | apiGroups: 104 | - "" 105 | - apps 106 | - autoscaling 107 | - batch 108 | - extensions 109 | - policy 110 | - rbac.authorization.k8s.io 111 | resources: 112 | - componentstatuses 113 | - configmaps 114 | - daemonsets 115 | - deployments 116 | - events 117 | - endpoints 118 | - horizontalpodautoscalers 119 | - ingress 120 | - jobs 121 | - limitranges 122 | - namespaces 123 | - nodes 124 | - pods 125 | - persistentvolumes 126 | - persistentvolumeclaims 127 | - resourcequotas 128 | - replicasets 129 | - replicationcontrollers 130 | - serviceaccounts 131 | - services 132 | verbs: ["*"] 133 | - nonResourceURLs: ["*"] 134 | verbs: ["*"] 135 | ``` 136 | 137 | **Controller Manager** 138 | Controller manager needs access to almost all the resources in Kubernetes hence, we need to grant it top level admin access. Controller manager is actually a super user, so it can work even without a rolebinding. 139 | ```yaml 140 | --- 141 | apiVersion: rbac.authorization.k8s.io/v1alpha1 142 | kind: ClusterRole 143 | metadata: 144 | name: cluster-controller-manager 145 | rules: 146 | - 147 | apiGroups: 148 | # have access to everything except Secrets 149 | - "*" 150 | resources: ["*"] 151 | verbs: ["*"] 152 | - nonResourceURLs: ["*"] 153 | verbs: ["*"] 154 | ``` 155 | 156 | **Kubelet** 157 | 158 | To spin up pods and update node and pod status the kubelet would need the following role and binding: 159 | ```yaml 160 | apiVersion: rbac.authorization.k8s.io/v1alpha1 161 | kind: ClusterRole 162 | metadata: 163 | name: kubelet-runtime 164 | rules: 165 | - apiGroups: 166 | - "" 167 | attributeRestrictions: null 168 | resources: 169 | - configmaps 170 | - persistentvolumes 171 | - persistentvolumeclaims 172 | - secrets 173 | - services 174 | - healthz 175 | verbs: 176 | - get 177 | - watch 178 | - list 179 | - attributeRestrictions: null 180 | nonResourceURLs: 181 | - '*' 182 | verbs: 183 | - get 184 | - watch 185 | - list 186 | - apiGroups: 187 | - "" 188 | attributeRestrictions: null 189 | resources: 190 | - events 191 | - nodes 192 | - nodes/status 193 | - pods 194 | - pods/status 195 | verbs: 196 | - '*' 197 | - attributeRestrictions: null 198 | nonResourceURLs: 199 | - '*' 200 | verbs: 201 | - '*' 202 | ``` 203 | 204 | The appropriate binding would be: 205 | ```yaml 206 | kind: ClusterRoleBinding 207 | apiVersion: rbac.authorization.k8s.io/v1alpha1 208 | metadata: 209 | name: kubelet-role-binding 210 | subjects: 211 | - kind: User 212 | name: kubelet 213 | roleRef: 214 | kind: ClusterRole 215 | name: kubelet-runtime 216 | apiVersion: rbac.authorization.k8s.io/v1alpha1 217 | ``` 218 | 219 | * For kubelet to check apiserver `healthz`: 220 | ```yaml 221 | apiVersion: rbac.authorization.k8s.io/v1alpha1 222 | kind: ClusterRole 223 | metadata: 224 | name: healthz-reader-role 225 | rules: 226 | - 227 | apiGroups: 228 | - "" 229 | resources: [] 230 | verbs: ["get"] 231 | - nonResourceURLs: ["*"] 232 | verbs: ["get"] 233 | ``` 234 | The reason we made this explicit healthz binding is to make sure only the healthz is allowed access by everyone. Not only kubelet, but other monitoring systems can usee healthz in the future and hence granting access to all users 235 | ```yaml 236 | kind: ClusterRoleBinding 237 | apiVersion: rbac.authorization.k8s.io/v1alpha1 238 | metadata: 239 | name: healthz-role-binding 240 | subjects: 241 | - kind: User 242 | name: "*" 243 | roleRef: 244 | kind: ClusterRole 245 | name: healthz-reader-role 246 | apiVersion: rbac.authorization.k8s.io/v1alpha1 247 | ``` 248 | 249 | **Scheduler** 250 | Scheduler needs the following roles: 251 | 252 | ```yaml 253 | kind: ClusterRole 254 | apiVersion: rbac.authorization.k8s.io/v1alpha1 255 | metadata: 256 | name: scheduler 257 | rules: 258 | - apiGroups: [""] 259 | resources: ["endpoints"] 260 | verbs: ["*"] 261 | - nonResourceURLs: ["*"] 262 | verbs: ["*"] 263 | - apiGroups: [""] 264 | resources: ["pods"] 265 | verbs: ["update"] 266 | nonResourceURLs: [""] 267 | verbs: ["*"] 268 | ``` 269 | 270 | needs the following role bindings: 271 | ```yaml 272 | kind: ClusterRoleBinding 273 | apiVersion: rbac.authorization.k8s.io/v1alpha1 274 | metadata: 275 | name: scheduler-role-binding 276 | subjects: 277 | - kind: User 278 | name: system:scheduler 279 | roleRef: 280 | kind: ClusterRole 281 | name: cluster-read-all 282 | apiVersion: rbac.authorization.k8s.io/v1alpha1 283 | ``` 284 | and also 285 | ```yaml 286 | kind: ClusterRoleBinding 287 | apiVersion: rbac.authorization.k8s.io/v1alpha1 288 | metadata: 289 | name: scheduler-role-binding 290 | subjects: 291 | - kind: User 292 | name: system:scheduler 293 | roleRef: 294 | kind: ClusterRole 295 | name: scheduler 296 | apiVersion: rbac.authorization.k8s.io/v1alpha1 297 | ``` 298 | 299 | **Kube Proxy** 300 | Needs the following: 301 | ```yaml 302 | --- 303 | apiVersion: rbac.authorization.k8s.io/v1alpha1 304 | kind: ClusterRole 305 | metadata: 306 | name: kube-proxy-role 307 | rules: 308 | - 309 | apiGroups: 310 | - "" 311 | resources: 312 | - endpoints 313 | - events 314 | - services 315 | - nodes 316 | verbs: ["get", "watch", "list"] 317 | - nonResourceURLs: ["*"] 318 | verbs: ["get", "watch", "list"] 319 | - 320 | apiGroups: 321 | - "" 322 | resources: 323 | - events 324 | verbs: ["*"] 325 | - nonResourceURLs: ["*"] 326 | verbs: ["*"] 327 | ``` 328 | 329 | ```yaml 330 | # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. 331 | kind: ClusterRoleBinding 332 | apiVersion: rbac.authorization.k8s.io/v1alpha1 333 | metadata: 334 | name: kubeproxy-role-binding 335 | subjects: 336 | - kind: User 337 | name: kube_proxy 338 | roleRef: 339 | kind: ClusterRole 340 | name: kube-proxy-role 341 | apiVersion: rbac.authorization.k8s.io/v1alpha1 342 | ``` 343 | 344 | 345 | **Kube Proxy** 346 | ```yaml 347 | --- 348 | apiVersion: rbac.authorization.k8s.io/v1alpha1 349 | kind: ClusterRole 350 | metadata: 351 | name: kube-proxy-role 352 | rules: 353 | - 354 | apiGroups: 355 | - "" 356 | resources: 357 | - endpoints 358 | - events 359 | - services 360 | - nodes 361 | verbs: ["get", "watch", "list"] 362 | - nonResourceURLs: ["*"] 363 | verbs: ["get", "watch", "list"] 364 | - 365 | apiGroups: 366 | - "" 367 | resources: 368 | - events 369 | verbs: ["*"] 370 | - nonResourceURLs: ["*"] 371 | verbs: ["*"] 372 | 373 | ``` 374 | And the corresponding binding 375 | 376 | ```yaml 377 | kind: RoleBinding 378 | apiVersion: rbac.authorization.k8s.io/v1alpha1 379 | metadata: 380 | name: kube-system-sa-admin 381 | namespace: kube-system 382 | subjects: 383 | - kind: ServiceAccount 384 | name: default 385 | namespace: kube-system 386 | roleRef: 387 | kind: Role 388 | namespace: kube-system 389 | name: kube-system-admin 390 | apiVersion: rbac.authorization.k8s.io/v1alpha1 391 | ``` 392 | 393 | **Kube System Components:** 394 | Long term plan should be to move components out of kube-system into appropriate namespaces. DNS, Monitoring etc. 395 | 396 | The following is a `Role` and grants access only within the kube-system namespace 397 | ```yaml 398 | kind: Role 399 | apiVersion: rbac.authorization.k8s.io/v1alpha1 400 | metadata: 401 | namespace: kube-system 402 | name: kube-system-admin 403 | rules: 404 | - apiGroups: ["*"] 405 | resources: ["*"] 406 | verbs: ["*"] 407 | ``` 408 | 409 | Appropriate binding: 410 | ```yaml 411 | kind: RoleBinding 412 | apiVersion: rbac.authorization.k8s.io/v1alpha1 413 | metadata: 414 | name: kube-system-sa-admin 415 | namespace: kube-system 416 | subjects: 417 | - kind: ServiceAccount 418 | name: default 419 | namespace: kube-system 420 | roleRef: 421 | kind: Role 422 | namespace: kube-system 423 | name: kube-system-admin 424 | apiVersion: rbac.authorization.k8s.io/v1alpha1 425 | ``` 426 | 427 | Read all for dns and monitoring to work 428 | ```yaml 429 | kind: ClusterRoleBinding 430 | apiVersion: rbac.authorization.k8s.io/v1alpha1 431 | metadata: 432 | name: kube-system-readall-role-binding 433 | subjects: 434 | - kind: ServiceAccount 435 | name: default 436 | namespace: kube-system 437 | roleRef: 438 | kind: ClusterRole 439 | name: cluster-read-all 440 | apiVersion: rbac.authorization.k8s.io/v1alpha1 441 | ``` 442 | -------------------------------------------------------------------------------- /rolebindings/default-reader-binding.yaml: -------------------------------------------------------------------------------- 1 | # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1alpha1 4 | metadata: 5 | name: default-reader-role-binding 6 | subjects: 7 | - kind: User 8 | name: "*" 9 | roleRef: 10 | kind: ClusterRole 11 | name: default-reader 12 | apiVersion: rbac.authorization.k8s.io/v1alpha1 13 | -------------------------------------------------------------------------------- /rolebindings/healthz-rb.yaml: -------------------------------------------------------------------------------- 1 | # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1alpha1 4 | metadata: 5 | name: healthz-role-binding 6 | subjects: 7 | - kind: User 8 | name: "*" 9 | roleRef: 10 | kind: ClusterRole 11 | name: healthz-reader-role 12 | apiVersion: rbac.authorization.k8s.io/v1alpha1 13 | -------------------------------------------------------------------------------- /rolebindings/kube-proxy-role-binding.yaml: -------------------------------------------------------------------------------- 1 | # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1alpha1 4 | metadata: 5 | name: kubeproxy-role-binding 6 | subjects: 7 | - kind: User 8 | name: kube_proxy 9 | roleRef: 10 | kind: ClusterRole 11 | name: kube-proxy-role 12 | apiVersion: rbac.authorization.k8s.io/v1alpha1 13 | -------------------------------------------------------------------------------- /rolebindings/kube-system-admin-rb.yaml: -------------------------------------------------------------------------------- 1 | kind: RoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | name: kube-system-sa-admin 5 | namespace: kube-system 6 | subjects: 7 | - kind: ServiceAccount 8 | name: default 9 | namespace: kube-system 10 | roleRef: 11 | kind: Role 12 | namespace: kube-system 13 | name: kube-system-admin 14 | apiVersion: rbac.authorization.k8s.io/v1alpha1 15 | -------------------------------------------------------------------------------- /rolebindings/kube-system-sa-read-all-rb.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | name: kube-system-readall-role-binding 5 | subjects: 6 | - kind: ServiceAccount 7 | name: default 8 | namespace: kube-system 9 | roleRef: 10 | kind: ClusterRole 11 | name: cluster-read-all 12 | apiVersion: rbac.authorization.k8s.io/v1alpha1 13 | -------------------------------------------------------------------------------- /rolebindings/kubelet-role-binding.yaml: -------------------------------------------------------------------------------- 1 | # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1alpha1 4 | metadata: 5 | name: kubelet-role-binding 6 | subjects: 7 | - kind: User 8 | name: kubelet 9 | roleRef: 10 | kind: ClusterRole 11 | name: kubelet-runtime 12 | apiVersion: rbac.authorization.k8s.io/v1alpha1 13 | -------------------------------------------------------------------------------- /rolebindings/sceduler-read-all-rb.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | name: scheduler-role-binding 5 | subjects: 6 | - kind: User 7 | name: system:scheduler 8 | roleRef: 9 | kind: ClusterRole 10 | name: cluster-read-all 11 | apiVersion: rbac.authorization.k8s.io/v1alpha1 12 | -------------------------------------------------------------------------------- /rolebindings/scheduler-role-binding.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRoleBinding 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | name: scheduler-role-binding 5 | subjects: 6 | - kind: User 7 | name: system:scheduler 8 | roleRef: 9 | kind: ClusterRole 10 | name: scheduler 11 | apiVersion: rbac.authorization.k8s.io/v1alpha1 12 | -------------------------------------------------------------------------------- /rolebindings/service-reader-rb.yaml: -------------------------------------------------------------------------------- 1 | # This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. 2 | kind: ClusterRoleBinding 3 | apiVersion: rbac.authorization.k8s.io/v1alpha1 4 | metadata: 5 | name: wildcard-services-role-binding 6 | subjects: 7 | - kind: User 8 | name: "*" 9 | roleRef: 10 | kind: ClusterRole 11 | name: services-reader 12 | apiVersion: rbac.authorization.k8s.io/v1alpha1 13 | -------------------------------------------------------------------------------- /roles/cluster-admin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | kind: ClusterRole 4 | metadata: 5 | name: cluster-admin-all 6 | rules: 7 | - 8 | apiGroups: 9 | - "" 10 | - apps 11 | - autoscaling 12 | - batch 13 | - extensions 14 | - policy 15 | - rbac.authorization.k8s.io 16 | # Everything except secrets 17 | resources: 18 | - componentstatuses 19 | - configmaps 20 | - daemonsets 21 | - deployments 22 | - events 23 | - endpoints 24 | - horizontalpodautoscalers 25 | - ingress 26 | - jobs 27 | - limitranges 28 | - namespaces 29 | - nodes 30 | - pods 31 | - persistentvolumes 32 | - persistentvolumeclaims 33 | - resourcequotas 34 | - replicasets 35 | - replicationcontrollers 36 | - serviceaccounts 37 | - services 38 | verbs: ["*"] 39 | - nonResourceURLs: ["*"] 40 | verbs: ["*"] 41 | 42 | -------------------------------------------------------------------------------- /roles/controller-manager.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | kind: ClusterRole 4 | metadata: 5 | name: cluster-controller-manager 6 | rules: 7 | - 8 | apiGroups: 9 | # have access to everything except Secrets 10 | - "*" 11 | resources: ["*"] 12 | verbs: ["*"] 13 | - nonResourceURLs: [""] 14 | verbs: ["*"] 15 | 16 | -------------------------------------------------------------------------------- /roles/default-reader.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | # "namespace" omitted since ClusterRoles are not namespaced. 5 | name: default-reader 6 | rules: 7 | - apiGroups: [""] 8 | resources: 9 | - componentstatuses 10 | - events 11 | - endpoints 12 | - namespaces 13 | - nodes 14 | - persistentvolumes 15 | - resourcequotas 16 | - services 17 | verbs: ["get", "watch", "list"] 18 | - nonResourceURLs: ["*"] 19 | verbs: ["get", "watch", "list"] 20 | -------------------------------------------------------------------------------- /roles/healthz-reader-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | kind: ClusterRole 4 | metadata: 5 | name: healthz-reader-role 6 | rules: 7 | - 8 | apiGroups: 9 | - "" 10 | resources: [""] 11 | verbs: ["get"] 12 | - nonResourceURLs: ["*"] 13 | verbs: ["get"] 14 | 15 | -------------------------------------------------------------------------------- /roles/kube-proxy-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | kind: ClusterRole 4 | metadata: 5 | name: kube-proxy-role 6 | rules: 7 | - 8 | apiGroups: 9 | - "" 10 | resources: 11 | - endpoints 12 | - events 13 | - services 14 | - nodes 15 | verbs: ["get", "watch", "list"] 16 | - nonResourceURLs: ["*"] 17 | verbs: ["get", "watch", "list"] 18 | 19 | - 20 | apiGroups: 21 | - "" 22 | resources: 23 | - events 24 | verbs: ["*"] 25 | - nonResourceURLs: ["*"] 26 | verbs: ["*"] 27 | 28 | -------------------------------------------------------------------------------- /roles/kube-system-default-role.yaml: -------------------------------------------------------------------------------- 1 | kind: Role 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | namespace: kube-system 5 | name: kube-system-admin 6 | rules: 7 | - apiGroups: ["*"] 8 | resources: ["*"] 9 | verbs: ["*"] 10 | -------------------------------------------------------------------------------- /roles/kubelet-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | kind: ClusterRole 4 | metadata: 5 | name: kubelet-runtime 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - configmaps 11 | - persistentvolumes 12 | - persistentvolumeclaims 13 | - secrets 14 | - services 15 | - healthz 16 | verbs: ["get", "watch", "list"] 17 | - nonResourceURLs: ["*"] 18 | verbs: ["get", "watch", "list"] 19 | - apiGroups: 20 | - "" 21 | resources: 22 | - events 23 | - nodes 24 | - nodes/status 25 | - pods 26 | - pods/status 27 | verbs: ["*"] 28 | - nonResourceURLs: ["*"] 29 | verbs: ["*"] 30 | 31 | -------------------------------------------------------------------------------- /roles/reader-all.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | kind: ClusterRole 4 | metadata: 5 | name: cluster-read-all 6 | rules: 7 | - 8 | apiGroups: 9 | - "" 10 | - apps 11 | - autoscaling 12 | - batch 13 | - extensions 14 | - policy 15 | - rbac.authorization.k8s.io 16 | resources: 17 | # everything except secrets 18 | - componentstatuses 19 | - configmaps 20 | - daemonsets 21 | - deployments 22 | - events 23 | - endpoints 24 | - horizontalpodautoscalers 25 | - ingress 26 | - jobs 27 | - limitranges 28 | - namespaces 29 | - nodes 30 | - pods 31 | - persistentvolumes 32 | - persistentvolumeclaims 33 | - resourcequotas 34 | - replicasets 35 | - replicationcontrollers 36 | - serviceaccounts 37 | - services 38 | verbs: 39 | - get 40 | - watch 41 | - list 42 | - nonResourceURLs: ["*"] 43 | verbs: 44 | - get 45 | - watch 46 | - list 47 | 48 | -------------------------------------------------------------------------------- /roles/scheduler-role.yaml: -------------------------------------------------------------------------------- 1 | kind: ClusterRole 2 | apiVersion: rbac.authorization.k8s.io/v1alpha1 3 | metadata: 4 | name: scheduler 5 | rules: 6 | - apiGroups: [""] 7 | resources: ["endpoints"] 8 | verbs: ["*"] 9 | - nonResourceURLs: ["*"] 10 | verbs: ["*"] 11 | - apiGroups: [""] 12 | resources: ["pods"] 13 | verbs: ["update"] 14 | - nonResourceURLs: [""] 15 | verbs: ["update"] 16 | --------------------------------------------------------------------------------