mirror of
https://github.com/rancher/rke.git
synced 2025-04-27 11:21:08 +00:00
132 lines
2.8 KiB
Go
132 lines
2.8 KiB
Go
package templates
|
|
|
|
const (
|
|
KubeAPIClusterRole = `
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: proxy-clusterrole-kubeapiserver
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources:
|
|
- nodes/metrics
|
|
- nodes/proxy
|
|
- nodes/stats
|
|
- nodes/log
|
|
- nodes/spec
|
|
verbs: ["get", "list", "watch", "create"]`
|
|
KubeAPIClusterRoleBinding = `
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: proxy-role-binding-kubernetes-master
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: proxy-clusterrole-kubeapiserver
|
|
subjects:
|
|
- apiGroup: rbac.authorization.k8s.io
|
|
kind: User
|
|
name: kube-apiserver`
|
|
SystemNodeClusterRoleBinding = `
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
annotations:
|
|
rbac.authorization.kubernetes.io/autoupdate: "false"
|
|
labels:
|
|
kubernetes.io/bootstrapping: rbac-defaults
|
|
name: system:node
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: system:node
|
|
subjects:
|
|
- kind: Group
|
|
name: system:nodes
|
|
apiGroup: rbac.authorization.k8s.io`
|
|
|
|
JobDeployerServiceAccount = `
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: rke-job-deployer
|
|
namespace: kube-system`
|
|
|
|
JobDeployerClusterRoleBinding = `
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: job-deployer
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: cluster-admin
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
namespace: kube-system
|
|
name: rke-job-deployer`
|
|
|
|
DefaultPodSecurityPolicy = `
|
|
apiVersion: policy/v1beta1
|
|
kind: PodSecurityPolicy
|
|
metadata:
|
|
name: default-psp
|
|
annotations:
|
|
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
|
|
spec:
|
|
privileged: true
|
|
allowPrivilegeEscalation: true
|
|
allowedCapabilities:
|
|
- '*'
|
|
volumes:
|
|
- '*'
|
|
hostNetwork: true
|
|
hostPorts:
|
|
- min: 0
|
|
max: 65535
|
|
hostIPC: true
|
|
hostPID: true
|
|
runAsUser:
|
|
rule: 'RunAsAny'
|
|
seLinux:
|
|
rule: 'RunAsAny'
|
|
supplementalGroups:
|
|
rule: 'RunAsAny'
|
|
fsGroup:
|
|
rule: 'RunAsAny'`
|
|
|
|
DefaultPodSecurityRole = `
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: default-psp-role
|
|
rules:
|
|
- apiGroups: ['extensions']
|
|
resources: ['podsecuritypolicies']
|
|
verbs: ['use']
|
|
resourceNames:
|
|
- default-psp`
|
|
|
|
DefaultPodSecurityRoleBinding = `
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: default-psp-rolebinding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: default-psp-role
|
|
subjects:
|
|
# Authorize all service accounts in a namespace:
|
|
- kind: Group
|
|
apiGroup: rbac.authorization.k8s.io
|
|
name: system:serviceaccounts
|
|
# Or equivalently, all authenticated users in a namespace:
|
|
- kind: Group
|
|
apiGroup: rbac.authorization.k8s.io
|
|
name: system:authenticated
|
|
|
|
`
|
|
)
|