From 33d31e4a558597d0135caec73f600b8fbe5dfe6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marko=20Mudrini=C4=87?= <mudrinic.mare@gmail.com>
Date: Tue, 19 Jun 2018 09:35:26 +0200
Subject: [PATCH] sample-apiserver: Add RBAC roles and ClusterRoleBindings for
 Admission Webhooks

---
 .../artifacts/example/rbac-bind.yaml                 | 12 ++++++++++++
 .../sample-apiserver/artifacts/example/rbac.yaml     | 11 +++++++++++
 .../sample-apiserver/docs/minikube-walkthrough.md    |  4 ++++
 3 files changed, 27 insertions(+)
 create mode 100644 staging/src/k8s.io/sample-apiserver/artifacts/example/rbac-bind.yaml
 create mode 100644 staging/src/k8s.io/sample-apiserver/artifacts/example/rbac.yaml

diff --git a/staging/src/k8s.io/sample-apiserver/artifacts/example/rbac-bind.yaml b/staging/src/k8s.io/sample-apiserver/artifacts/example/rbac-bind.yaml
new file mode 100644
index 00000000000..00f7847f2ff
--- /dev/null
+++ b/staging/src/k8s.io/sample-apiserver/artifacts/example/rbac-bind.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: sample-apiserver-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: aggregated-apiserver-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: apiserver
+  namespace: wardle
\ No newline at end of file
diff --git a/staging/src/k8s.io/sample-apiserver/artifacts/example/rbac.yaml b/staging/src/k8s.io/sample-apiserver/artifacts/example/rbac.yaml
new file mode 100644
index 00000000000..ef1c57c8305
--- /dev/null
+++ b/staging/src/k8s.io/sample-apiserver/artifacts/example/rbac.yaml
@@ -0,0 +1,11 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: aggregated-apiserver-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["get", "watch", "list"]
+- apiGroups: ["admissionregistration.k8s.io"]
+  resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
+  verbs: ["get", "watch", "list"]
\ No newline at end of file
diff --git a/staging/src/k8s.io/sample-apiserver/docs/minikube-walkthrough.md b/staging/src/k8s.io/sample-apiserver/docs/minikube-walkthrough.md
index c5ca1ecd129..0a5bfd8459b 100644
--- a/staging/src/k8s.io/sample-apiserver/docs/minikube-walkthrough.md
+++ b/staging/src/k8s.io/sample-apiserver/docs/minikube-walkthrough.md
@@ -78,6 +78,10 @@ kubectl create -f artifacts/example/sa.yaml -n wardle
 kubectl create -f artifacts/example/auth-delegator.yaml -n kube-system
 kubectl create -f artifacts/example/auth-reader.yaml -n kube-system
 
+# create rbac roles and clusterrolebinding that allow the service account user to use admission webhooks
+kubectl create -f artifacts/example/rbac.yaml
+kubectl create -f artifacts/example/rbac-bind.yaml
+
 # create the service and replication controller
 kubectl create -f artifacts/example/rc.yaml -n wardle
 kubectl create -f artifacts/example/service.yaml -n wardle