github.com/jenkins-x/jx/v2@v2.1.155/pkg/kube/install_rbac.go

github.com/jenkins-x/jx/v2@v2.1.155/pkg/kube/install_rbac.go (about)

     1  package kube
     2  
     3  func ClusterRoleYaml(user string) string {
     4  	return `apiVersion: rbac.authorization.k8s.io/v1
     5  kind: ClusterRole
     6  metadata:
     7    annotations:
     8      jx.liggitt.net/version: v0.5.0
     9    labels:
    10      jx.liggitt.net/generated: "true"
    11      jx.liggitt.net/user: ` + user + `
    12    name: jx:` + user + `
    13  rules:
    14  - apiGroups:
    15    - ""
    16    resources:
    17    - configmaps
    18    - limitranges
    19    - namespaces
    20    - persistentvolumeclaims
    21    - persistentvolumes
    22    - podtemplates
    23    - replicationcontrollers
    24    - resourcequotas
    25    - services
    26    verbs:
    27    - get
    28    - list
    29    - watch
    30  - apiGroups:
    31    - ""
    32    resources:
    33    - endpoints
    34    - serviceaccounts
    35    verbs:
    36    - create
    37    - get
    38    - list
    39    - patch
    40    - update
    41    - watch
    42  - apiGroups:
    43    - ""
    44    resources:
    45    - events
    46    verbs:
    47    - create
    48    - get
    49    - patch
    50    - update
    51  - apiGroups:
    52    - ""
    53    resourceNames:
    54    - ` + user + `
    55    resources:
    56    - nodes
    57    - nodes/status
    58    verbs:
    59    - get
    60    - patch
    61    - update
    62  - apiGroups:
    63    - ""
    64    resources:
    65    - nodes
    66    - pods
    67    - secrets
    68    verbs:
    69    - create
    70    - get
    71    - list
    72    - watch
    73  - apiGroups:
    74    - ""
    75    resources:
    76    - persistentvolumes/status
    77    - pods/status
    78    verbs:
    79    - get
    80    - patch
    81    - update
    82  - apiGroups:
    83    - ""
    84    resources:
    85    - pods/binding
    86    verbs:
    87    - create
    88  - apiGroups:
    89    - admissionregistration.k8s.io
    90    resources:
    91    - initializerconfigurations
    92    - mutatingwebhookconfigurations
    93    - validatingwebhookconfigurations
    94    verbs:
    95    - get
    96    - list
    97    - watch
    98  - apiGroups:
    99    - apps
   100    resources:
   101    - controllerrevisions
   102    - daemonsets
   103    - deployments
   104    - replicasets
   105    - statefulsets
   106    verbs:
   107    - get
   108    - list
   109    - watch
   110  - apiGroups:
   111    - autoscaling
   112    resources:
   113    - horizontalpodautoscalers
   114    verbs:
   115    - get
   116    - list
   117    - watch
   118  - apiGroups:
   119    - batch
   120    resources:
   121    - cronjobs
   122    - jobs
   123    verbs:
   124    - get
   125    - list
   126    - watch
   127  - apiGroups:
   128    - batch
   129    resourceNames:
   130    - expose
   131    resources:
   132    - jobs/status
   133    verbs:
   134    - get
   135    - patch
   136    - update
   137  - apiGroups:
   138    - certificates.k8s.io
   139    resources:
   140    - certificatesigningrequests
   141    verbs:
   142    - get
   143    - list
   144    - watch
   145  - apiGroups:
   146    - events.k8s.io
   147    resources:
   148    - events
   149    verbs:
   150    - get
   151    - list
   152    - watch
   153  - apiGroups:
   154    - extensions
   155    resources:
   156    - daemonsets
   157    - deployments
   158    - ingresses
   159    - networkpolicies
   160    - podsecuritypolicies
   161    verbs:
   162    - get
   163    - list
   164    - watch
   165  - apiGroups:
   166    - extensions
   167    resources:
   168    - deployments/status
   169    - replicasets/status
   170    verbs:
   171    - get
   172    - patch
   173    - update
   174  - apiGroups:
   175    - extensions
   176    resources:
   177    - replicasets
   178    verbs:
   179    - create
   180    - get
   181    - list
   182    - watch
   183  - apiGroups:
   184    - jenkins.io
   185    resources:
   186    - environments
   187    - gitservices
   188    - pipelineactivities
   189    - pipelines
   190    - releases
   191    - runs
   192    verbs:
   193    - get
   194    - list
   195    - watch
   196  - apiGroups:
   197    - networking.k8s.io
   198    resources:
   199    - networkpolicies
   200    verbs:
   201    - get
   202    - list
   203    - watch
   204  - apiGroups:
   205    - policy
   206    resources:
   207    - poddisruptionbudgets
   208    verbs:
   209    - get
   210    - list
   211    - watch
   212  - apiGroups:
   213    - rbac.authorization.k8s.io
   214    resources:
   215    - clusterrolebindings
   216    - clusterroles
   217    - rolebindings
   218    - roles
   219    verbs:
   220    - get
   221    - list
   222    - watch
   223  - apiGroups:
   224    - scheduling.k8s.io
   225    resources:
   226    - priorityclasses
   227    verbs:
   228    - get
   229    - list
   230    - watch
   231  - apiGroups:
   232    - settings.k8s.io
   233    resources:
   234    - podpresets
   235    verbs:
   236    - get
   237    - list
   238    - watch
   239  - apiGroups:
   240    - storage.k8s.io
   241    resources:
   242    - storageclasses
   243    verbs:
   244    - create
   245    - get
   246    - list
   247    - watch
   248  - apiGroups:
   249    - storage.k8s.io
   250    resourceNames:
   251    - standard
   252    resources:
   253    - storageclasses
   254    verbs:
   255    - get
   256    - patch
   257    - update
   258  - apiGroups:
   259    - storage.k8s.io
   260    resources:
   261    - volumeattachments
   262    verbs:
   263    - get
   264    - list
   265    - watch`
   266  }
   267  
   268  func RoleKubeSystemYaml(user string) string {
   269  	return `apiVersion: rbac.authorization.k8s.io/v1
   270  	  kind: Role
   271  	  metadata:
   272  	    annotations:
   273  	      jx.liggitt.net/version: v0.5.0
   274  	    labels:
   275  	      jx.liggitt.net/generated: "true"
   276  	      jx.liggitt.net/user: ` + user + `
   277  	    name: jx:` + user + `
   278  	    namespace: kube-system
   279  	  rules:
   280  	  - apiGroups:
   281  	    - apps
   282  	    resources:
   283  	    - configmaps
   284  	    verbs:
   285  	    - create
   286  	  - apiGroups:
   287  	    - apps
   288  	    resourceNames:
   289  	    - nginx-load-balancer-conf
   290  	    resources:
   291  	    - configmaps
   292  	    verbs:
   293  	    - get
   294  	    - patch
   295  	    - update
   296  	  - apiGroups:
   297  	    - apps
   298  	    resourceNames:
   299  	    - kube-system
   300  	    resources:
   301  	    - namespaces
   302  	    verbs:
   303  	    - get
   304  	    - patch
   305  	    - update
   306  	  - apiGroups:
   307  	    - ""
   308  	    resources:
   309  	    - replicationcontrollers
   310  	    - services
   311  	    verbs:
   312  	    - create
   313  	    - get
   314  	    - patch
   315  	    - update
   316  	  - apiGroups:
   317  	    - ""
   318  	    resources:
   319  	    - replicationcontrollers/status
   320  	    verbs:
   321  	    - get
   322  	    - patch
   323  	    - update
   324  	  - apiGroups:
   325  	    - apps
   326  	    resources:
   327  	    - deployments
   328  	    verbs:
   329  	    - create
   330  	  - apiGroups:
   331  	    - apps
   332  	    resourceNames:
   333  	    - kubernetes-dashboard
   334  	    resources:
   335  	    - deployments
   336  	    verbs:
   337  	    - get
   338  	    - patch
   339  	    - update
   340  	  - apiGroups:
   341  	    - extensions
   342  	    resources:
   343  	    - deployments
   344  	    verbs:
   345  	    - create
   346  	  - apiGroups:
   347  	    - extensions
   348  	    resourceNames:
   349  	    - kube-dns
   350  	    resources:
   351  	    - deployments
   352  	    verbs:
   353  	    - get
   354  	    - patch
   355  	    - update`
   356  }
   357  
   358  func RoleBindingKubeSystemYaml(user string) string {
   359  	return `apiVersion: rbac.authorization.k8s.io/v1
   360  	kind: RoleBinding
   361  	metadata:
   362  	  annotations:
   363  	    jx.liggitt.net/version: v0.5.0
   364  	  labels:
   365  	    jx.liggitt.net/generated: "true"
   366  	    jx.liggitt.net/user: ` + user + `
   367  	  name: jx:` + user + `
   368  	  namespace: kube-system
   369  	roleRef:
   370  	  apiGroup: rbac.authorization.k8s.io
   371  	  kind: Role
   372  	  name: jx:` + user + `
   373  	subjects:
   374  	- apiGroup: rbac.authorization.k8s.io
   375  	  kind: User
   376  	  name: ` + user
   377  }
   378  
   379  func ClusterRoleBindingYaml(user string) string {
   380  	return `apiVersion: rbac.authorization.k8s.io/v1
   381  		kind: ClusterRoleBinding
   382  		metadata:
   383  		  annotations:
   384  		    jx.liggitt.net/version: v0.5.0
   385  		  labels:
   386  		    jx.liggitt.net/generated: "true"
   387  		    jx.liggitt.net/user: ` + user + `
   388  		  name: jx:` + user + `
   389  		roleRef:
   390  		  apiGroup: rbac.authorization.k8s.io
   391  		  kind: ClusterRole
   392  		  name: jx:` + user + `
   393  		subjects:
   394  		- apiGroup: rbac.authorization.k8s.io
   395  		  kind: User
   396  		  name: ` + user + ``
   397  }