-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathrbac-setup.yaml
155 lines (155 loc) · 3.16 KB
/
rbac-setup.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
# How to apply this YAML file:
# $ kubectl apply -f rbac-setup.yaml --as=admin --as-group=system:masters
#
# Namespace for Stackdriver Agents related components.
apiVersion: v1
kind: Namespace
metadata:
name: stackdriver-agents
---
# Config map for setting GOOGLE_APPLICATION_CREDENTIALS.
apiVersion: v1
data:
credentials_path: ""
kind: ConfigMap
metadata:
name: google-cloud-config
namespace: stackdriver-agents
---
# Config map for setting CLUSTER_NAME and CLUSTER_LOCATION env vars.
apiVersion: v1
data:
cluster_name: ""
cluster_location: ""
kind: ConfigMap
metadata:
name: cluster-config
namespace: stackdriver-agents
---
# Service account for Metadata Agent.
apiVersion: v1
kind: ServiceAccount
metadata:
name: metadata-agent
namespace: stackdriver-agents
---
# ClusterRole with permissions required by Metadata Agent.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: stackdriver-user:metadata-agent
namespace: stackdriver-agents
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- watch
- get
- list
---
# ClusterRoleBinding for Metadata Agent.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: stackdriver-user:metadata-agent
namespace: stackdriver-agents
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: stackdriver-user:metadata-agent
subjects:
- kind: ServiceAccount
name: metadata-agent
namespace: stackdriver-agents
---
# Service account for Logging Agent.
apiVersion: v1
kind: ServiceAccount
metadata:
name: logging-agent
namespace: stackdriver-agents
---
# ClusterRole with permissions required by Logging Agent
# filter_kubernetes_metadata plugin.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: stackdriver-user:logging-agent
namespace: stackdriver-agents
rules:
- apiGroups:
- ""
resources:
- pods
- namespaces
verbs:
- watch
- get
- list
---
# ClusterRoleBinding for Logging Agent.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: stackdriver-user:logging-agent
namespace: stackdriver-agents
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: stackdriver-user:logging-agent
subjects:
- kind: ServiceAccount
name: logging-agent
namespace: stackdriver-agents
---
# Service account for Heapster.
apiVersion: v1
kind: ServiceAccount
metadata:
name: heapster
namespace: stackdriver-agents
---
# ClusterRole with permissions required by Heapster.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: stackdriver-user:heapster
namespace: stackdriver-agents
rules:
- apiGroups:
- ""
resources:
- events
- namespaces
- nodes
- nodes/stats
- pods
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- deployments
verbs:
- get
- list
- watch
---
# ClusterRoleBinding for Heapster.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: stackdriver-user:heapster
namespace: stackdriver-agents
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: stackdriver-user:heapster
subjects:
- kind: ServiceAccount
name: heapster
namespace: stackdriver-agents