anobre/openshift-resource-governance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2610e96ca4ea5d99cb8d8d90e1894535db8e17f2
openshift-resource-governance/k8s/rbac.yaml

86 lines
2.5 KiB
YAML
Raw Blame History

apiVersion: v1
kind: ServiceAccount
metadata:
name: resource-governance-sa
namespace: resource-governance
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: resource-governance-role
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
rules:
# Permissões para listar e ler pods
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# Permissões para listar e ler namespaces
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
# Permissões para listar e ler nós
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
# Permissões para VPA (Vertical Pod Autoscaler)
- apiGroups: ["autoscaling.k8s.io"]
resources: ["verticalpodautoscalers"]
verbs: ["get", "list", "watch"]
# Permissões para deployments e replicasets (para aplicar recomendações)
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "patch", "update"]
# Permissões para pods (para aplicar recomendações)
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "patch", "update"]
# Permissões para eventos (para logging)
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch", "create"]
# Permissões para storage (PVCs e StorageClasses)
- apiGroups: [""]
resources: ["persistentvolumeclaims", "persistentvolumes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: resource-governance-binding
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: resource-governance-role
subjects:
- kind: ServiceAccount
name: resource-governance-sa
namespace: resource-governance
---
# ClusterRoleBinding para acessar o Prometheus
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: resource-governance-monitoring
labels:
app.kubernetes.io/name: resource-governance
app.kubernetes.io/component: governance
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-monitoring-view
subjects:
- kind: ServiceAccount
name: resource-governance-sa
namespace: resource-governance
Reference in New Issue View Git Blame Copy Permalink