diff --git a/docs/PERMISSIONS.md b/docs/PERMISSIONS.md index 1bd072b67..0574cdfd0 100644 --- a/docs/PERMISSIONS.md +++ b/docs/PERMISSIONS.md @@ -80,7 +80,7 @@ Notes: ## List of permissions -The permissions that are required to run Mizu depend on the command (`mizu tap` or `mizu-install`) and on the configuration. +The permissions that are required to run Mizu depend on the configuration. By default Mizu requires cluster-wide permissions. If these are not available to the user, it is possible to run Mizu in namespace-restricted mode which has a reduced set of requirements. This is done by by setting the `mizu-resources-namespace` config option. See [configuration](CONFIGURATION.md) for instructions. diff --git a/examples/roles/permissions-all-namespaces-debug-optional.yaml b/examples/roles/permissions-all-namespaces-debug-optional.yaml index 8ed2c0881..b13583cac 100644 --- a/examples/roles/permissions-all-namespaces-debug-optional.yaml +++ b/examples/roles/permissions-all-namespaces-debug-optional.yaml @@ -1,5 +1,4 @@ # This example shows permissions that enrich the logs with additional info -# Optional with `mizu tap` or `mizu-install` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/examples/roles/permissions-all-namespaces-install.yaml b/examples/roles/permissions-all-namespaces-install.yaml deleted file mode 100644 index 69573e95d..000000000 --- a/examples/roles/permissions-all-namespaces-install.yaml +++ /dev/null @@ -1,49 +0,0 @@ -# This example shows the permissions that are required in order to run the `mizu install` command -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrole -rules: -- apiGroups: [""] - resources: ["services"] - verbs: ["create"] -- apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["create"] -- apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch", "create", "delete"] -- apiGroups: ["apps", "extensions"] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] -- apiGroups: [""] - resources: ["services/proxy"] - verbs: ["get", "create"] -- apiGroups: [""] - resources: ["configmaps"] - verbs: ["create"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles"] - verbs: ["create"] -- apiGroups: ["rbac.authorization.k8s.io"] - resources: ["rolebindings"] - verbs: ["create"] -- apiGroups: ["apps"] - resources: ["daemonsets"] - verbs: ["get", "list", "create", "patch", "delete"] -- apiGroups: ["events.k8s.io"] - resources: ["events"] - verbs: ["list"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-clusterrolebindings -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: mizu-runner-clusterrole - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml b/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml index 6d6d658d9..35580bcb4 100644 --- a/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml +++ b/examples/roles/permissions-all-namespaces-ip-resolution-optional.yaml @@ -1,5 +1,4 @@ # This example shows permissions that are required for Mizu to resolve IPs to service names -# Optional with `mizu tap` or `mizu-install` kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/examples/roles/permissions-all-namespaces-persistency-optional.yaml b/examples/roles/permissions-all-namespaces-persistency-optional.yaml deleted file mode 100644 index 358432726..000000000 --- a/examples/roles/permissions-all-namespaces-persistency-optional.yaml +++ /dev/null @@ -1,26 +0,0 @@ -# This example shows permissions that are required for persistency with `mizu install` command -# Optional with `mizu-install` -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-persistency-clusterrole -rules: -- apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["list"] -- apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["create"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mizu-runner-persistent-clusterrolebindings -subjects: -- kind: User - name: user1 - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: ClusterRole - name: mizu-runner-persistency-clusterrole - apiGroup: rbac.authorization.k8s.io diff --git a/examples/roles/permissions-ns-debug-optional.yaml b/examples/roles/permissions-ns-debug-optional.yaml index fafe1e4d5..d1ea290a4 100644 --- a/examples/roles/permissions-ns-debug-optional.yaml +++ b/examples/roles/permissions-ns-debug-optional.yaml @@ -1,5 +1,4 @@ # This example shows permissions that enrich the logs with additional info in namespace-restricted mode -# Optional with `mizu-tap` kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/examples/roles/permissions-ns-ip-resolution-optional.yaml b/examples/roles/permissions-ns-ip-resolution-optional.yaml index 8c11e501d..96a85cc00 100644 --- a/examples/roles/permissions-ns-ip-resolution-optional.yaml +++ b/examples/roles/permissions-ns-ip-resolution-optional.yaml @@ -1,5 +1,4 @@ # This example shows permissions that are required for Mizu to resolve IPs to service names in namespace-restricted mode -# Optional with `mizu-tap` kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: