cluster/kube: fix common missing namespace-admin permissions
Change-Id: I6ee4ede0b4e9db80559c009a1e86fbd2721f3d05
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1841
Reviewed-by: radex <radex@hackerspace.pl>
diff --git a/cluster/kube/cluster.libsonnet b/cluster/kube/cluster.libsonnet
index 8822656..16c59bb 100644
--- a/cluster/kube/cluster.libsonnet
+++ b/cluster/kube/cluster.libsonnet
@@ -80,7 +80,6 @@
"pods",
"configmaps",
"services",
- "rolebindings",
],
verbs: ["list"],
},
@@ -106,7 +105,17 @@
"ingresses",
],
verbs: ["list"],
- }
+ },
+ {
+ apiGroups: ["rbac.authorization.k8s.io"],
+ resources: [
+ "clusterroles",
+ "roles",
+ "clusterrolebindings",
+ "rolebindings",
+ ],
+ verbs: ["list", "get"],
+ },
],
},
// This ClusterRole is applied (scoped to personal namespace) to all humans.
@@ -132,6 +141,11 @@
resources: ["certificates"],
verbs: ["*"],
},
+ {
+ apiGroups: ["networking.k8s.io"],
+ resources: ["networkpolicies"],
+ verbs: ["list", "get"],
+ },
],
},
// This ClusterRoleBindings allows root access to cluster admins.