diff --git a/docs/PERMISSIONS.md b/docs/PERMISSIONS.md index 7e184eac6..1bd072b67 100644 --- a/docs/PERMISSIONS.md +++ b/docs/PERMISSIONS.md @@ -80,327 +80,9 @@ Notes: ## List of permissions -We broke down this list into few categories: +The permissions that are required to run Mizu depend on the command (`mizu tap` or `mizu-install`) and on the configuration. +By default Mizu requires cluster-wide permissions. +If these are not available to the user, it is possible to run Mizu in namespace-restricted mode which has a reduced set of requirements. +This is done by by setting the `mizu-resources-namespace` config option. See [configuration](CONFIGURATION.md) for instructions. -- Required - what is needed for `mizu` to run properly on your k8s cluster -- Optional - permissions needed for proper name resolving for service & pod IPs - - addition required for policy validation - -### Required permissions - -Mizu needs following permissions on your Kubernetes cluster to run properly - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - create - - patch - - delete -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -``` - -#### Permissions required running with install command or (optional) for service / pod name resolving - -Mandatory permissions for running with install command. - -Optional for service/pod name resolving in non install standalone - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - create - - patch - - delete -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterroles - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - clusterrolebindings - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - get - - create - - delete -- apiGroups: - - apps - - extensions - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - apps - - extensions - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - - apps - - extensions - resources: - - endpoints - verbs: - - get - - list - - watch -``` - -#### Permissions for Policy rules validation feature (opt) - -Optionally, in order to use the policy rules validation feature, Mizu requires the following additional permissions: - -```yaml -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - create - - delete -``` - -- - - - -#### Namespace-Restricted mode - -Alternatively, in order to restrict Mizu to one namespace only (by setting `agent.namespace` in the config file), Mizu needs the following permissions in that namespace: - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - create - - patch - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -``` - -##### Name resolving in Namespace-Restricted mode (opt) - -To restrict Mizu to one namespace while also resolving IPs, Mizu needs the following permissions in that namespace: - -```yaml -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - create - - delete -- apiGroups: - - apps - resources: - - daemonsets - verbs: - - get - - create - - patch - - delete -- apiGroups: - - "" - resources: - - services/proxy - verbs: - - get -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - verbs: - - get - - create - - delete -- apiGroups: - - rbac.authorization.k8s.io - resources: - - rolebindings - verbs: - - get - - create - - delete -- apiGroups: - - apps - - extensions - resources: - - pods - verbs: - - get - - list - - watch -- apiGroups: - - apps - - extensions - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - - apps - - extensions - resources: - - endpoints - verbs: - - get - - list - - watch -``` +The different requirements are listed in [the example roles dir](../examples/roles) diff --git a/examples/roles/permissions-all-namespaces-daemon.yaml b/examples/roles/permissions-all-namespaces-daemon.yaml deleted file mode 100644 index 99d36110e..000000000 --- a/examples/roles/permissions-all-namespaces-daemon.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in all namespaces. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrole -rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete"] - - apiGroups: [ "apps" ] - resources: [ "deployments" ] - verbs: [ "get", "create", "delete" ] - - apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete", "list"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch", "create", "delete"] - - apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] - - apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterrolebindings"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] - - apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] - - apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] - - apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] - - apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrolebindings -subjects: - - kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: mizu-runner-clusterrole - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-debug-optional.yaml b/examples/roles/permissions-all-namespaces-debug-optional.yaml new file mode 100644 index 000000000..8ed2c0881 --- /dev/null +++ b/examples/roles/permissions-all-namespaces-debug-optional.yaml @@ -0,0 +1,26 @@ +# This example shows permissions that enrich the logs with additional info +# Optional with `mizu tap` or `mizu-install` +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-clusterrole +rules: +- apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-runner-debug-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-install.yaml b/examples/roles/permissions-all-namespaces-install.yaml new file mode 100644 index 000000000..69573e95d --- /dev/null +++ b/examples/roles/permissions-all-namespaces-install.yaml @@ -0,0 +1,49 @@ +# This example shows the permissions that are required in order to run the `mizu install` command +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-clusterrole +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["create"] +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch", "create", "delete"] +- apiGroups: ["apps", "extensions"] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +- apiGroups: [""] + resources: ["services/proxy"] + verbs: ["get", "create"] +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles"] + verbs: ["create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["create"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get", "list", "create", "patch", "delete"] +- apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["list"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-runner-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml b/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml new file mode 100644 index 000000000..6d6d658d9 --- /dev/null +++ b/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml @@ -0,0 +1,38 @@ +# This example shows permissions that are required for Mizu to resolve IPs to service names +# Optional with `mizu tap` or `mizu-install` +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-clusterrole +rules: +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterrolebindings"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["", "apps", "extensions"] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["services"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-resolver-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-persistency-optional.yaml b/examples/roles/permissions-all-namespaces-persistency-optional.yaml new file mode 100644 index 000000000..358432726 --- /dev/null +++ b/examples/roles/permissions-all-namespaces-persistency-optional.yaml @@ -0,0 +1,26 @@ +# This example shows permissions that are required for persistency with `mizu install` command +# Optional with `mizu-install` +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-persistency-clusterrole +rules: +- apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["list"] +- apiGroups: [""] + resources: ["persistentvolumeclaims"] + verbs: ["create"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-persistent-clusterrolebindings +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: mizu-runner-persistency-clusterrole + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-without-ip-resolution.yaml b/examples/roles/permissions-all-namespaces-tap.yaml similarity index 60% rename from examples/roles/permissions-all-namespaces-without-ip-resolution.yaml rename to examples/roles/permissions-all-namespaces-tap.yaml index 0a743e776..3f038e179 100644 --- a/examples/roles/permissions-all-namespaces-without-ip-resolution.yaml +++ b/examples/roles/permissions-all-namespaces-tap.yaml @@ -1,5 +1,4 @@ -# This example shows the roles required for a user to be able to use Mizu in all namespaces with IP resolution disabled. -# (Traffic will be recorded, but Mizu will not translate IP addresses to names) +# This example shows the permissions that are required in order to run the `mizu tap` command kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -7,25 +6,22 @@ metadata: rules: - apiGroups: [""] resources: ["pods"] - verbs: ["list", "watch", "create", "delete"] + verbs: ["list", "watch", "create"] - apiGroups: [""] resources: ["services"] - verbs: ["create", "delete"] + verbs: ["get", "create"] - apiGroups: ["apps"] resources: ["daemonsets"] - verbs: ["create", "patch", "delete"] + verbs: ["create", "patch"] - apiGroups: [""] resources: ["namespaces"] - verbs: ["get", "list", "watch", "create", "delete"] + verbs: ["list", "watch", "create", "delete"] - apiGroups: [""] resources: ["services/proxy"] - verbs: ["get"] + verbs: ["get", "create"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["get", "create", "delete"] - - apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] + verbs: ["create"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/examples/roles/permissions-all-namespaces.yaml b/examples/roles/permissions-all-namespaces.yaml deleted file mode 100644 index 7b8b065ee..000000000 --- a/examples/roles/permissions-all-namespaces.yaml +++ /dev/null @@ -1,64 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in all namespaces. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrole -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["create", "patch", "delete"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterroles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["clusterrolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrolebindings -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: mizu-runner-clusterrole - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-daemon.yaml b/examples/roles/permissions-ns-daemon.yaml deleted file mode 100644 index 0ab880f11..000000000 --- a/examples/roles/permissions-ns-daemon.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-role - namespace: user1 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "delete"] -- apiGroups: [ "apps" ] - resources: [ "deployments" ] - verbs: [ "get", "create", "delete" ] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete", "list"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions", ""] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-rolebindings - namespace: user1 -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: mizu-runner-role - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-debug-optional.yaml b/examples/roles/permissions-ns-debug-optional.yaml new file mode 100644 index 000000000..fafe1e4d5 --- /dev/null +++ b/examples/roles/permissions-ns-debug-optional.yaml @@ -0,0 +1,28 @@ +# This example shows permissions that enrich the logs with additional info in namespace-restricted mode +# Optional with `mizu-tap` +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-role + namespace: user1 +rules: +- apiGroups: ["events.k8s.io"] + resources: ["events"] + verbs: ["watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-runner-debug-rolebindings + namespace: user1 +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: mizu-runner-debug-role + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-ip-resolution-optional.yaml b/examples/roles/permissions-ns-ip-resolution-optional.yaml new file mode 100644 index 000000000..8c11e501d --- /dev/null +++ b/examples/roles/permissions-ns-ip-resolution-optional.yaml @@ -0,0 +1,40 @@ +# This example shows permissions that are required for Mizu to resolve IPs to service names in namespace-restricted mode +# Optional with `mizu-tap` +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-role + namespace: user1 +rules: +- apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["roles"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: ["", "apps", "extensions"] + resources: ["pods"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["services"] + verbs: ["get", "list", "watch"] +- apiGroups: ["", "apps", "extensions"] + resources: ["endpoints"] + verbs: ["get", "list", "watch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: mizu-resolver-rolebindings + namespace: user1 +subjects: +- kind: User + name: user1 + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: mizu-resolver-role + apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-without-ip-resolution.yaml b/examples/roles/permissions-ns-tap.yaml similarity index 68% rename from examples/roles/permissions-ns-without-ip-resolution.yaml rename to examples/roles/permissions-ns-tap.yaml index 24bc0d822..462e6d5bc 100644 --- a/examples/roles/permissions-ns-without-ip-resolution.yaml +++ b/examples/roles/permissions-ns-tap.yaml @@ -1,4 +1,4 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace with IP resolution disabled. +# This example shows the permissions that are required in order to run the `mizu tap` command in namespace-restricted mode kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -7,22 +7,19 @@ metadata: rules: - apiGroups: [""] resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] + verbs: ["list", "watch", "create"] - apiGroups: [""] resources: ["services"] verbs: ["get", "create", "delete"] - apiGroups: ["apps"] resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete"] + verbs: ["create", "patch", "delete"] - apiGroups: [""] resources: ["services/proxy"] - verbs: ["get"] + verbs: ["get", "create", "delete"] - apiGroups: [""] resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] + verbs: ["create", "delete"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 diff --git a/examples/roles/permissions-ns-with-validation.yaml b/examples/roles/permissions-ns-with-validation.yaml deleted file mode 100644 index a3e3eceb2..000000000 --- a/examples/roles/permissions-ns-with-validation.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-role - namespace: user1 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["get", "create", "delete"] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-rolebindings - namespace: user1 -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: mizu-runner-role - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns.yaml b/examples/roles/permissions-ns.yaml deleted file mode 100644 index 6974ab50f..000000000 --- a/examples/roles/permissions-ns.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# This example shows the roles required for a user to be able to use Mizu in a single namespace. -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-role - namespace: user1 -rules: -- apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: [""] - resources: ["services"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "create", "patch", "delete"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get"] -- apiGroups: [ "" ] - resources: [ "configmaps" ] - verbs: [ "get", "create", "delete" ] -- apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["get", "create", "delete"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["get", "create", "delete"] -- apiGroups: ["apps", "extensions"] - resources: ["pods"] - verbs: ["get", "list", "watch"] -- apiGroups: ["apps", "extensions"] - resources: ["services"] - verbs: ["get", "list", "watch"] -- apiGroups: ["", "apps", "extensions"] - resources: ["endpoints"] - verbs: ["get", "list", "watch"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list", "watch"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-rolebindings - namespace: user1 -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: mizu-runner-role - apiGroup: rbac.authorization.k8s.io