commit 4e46d5017ae568e27394dea29ac47560e8f067c1
author Piotr Dobrowolski <informatic@hackerspace.pl> Tue Jan 09 23:21:01 2024 +0100
committer informatic <informatic@hackerspace.pl> Thu Jan 18 23:47:20 2024 +0000
tree 1399da3dea8ccfd4976f2a3b88a5a8b8f3cb8272
parent a090225125623908c9e528c1589ef130ee1b09df

cluster/kube: fix common missing namespace-admin permissions

Change-Id: I6ee4ede0b4e9db80559c009a1e86fbd2721f3d05
Reviewed-on: https://gerrit.hackerspace.pl/c/hscloud/+/1841
Reviewed-by: radex <radex@hackerspace.pl>

cluster/kube/cluster.libsonnet

diff --git a/cluster/kube/cluster.libsonnet b/cluster/kube/cluster.libsonnet
index 8822656..16c59bb 100644
--- a/cluster/kube/cluster.libsonnet
+++ b/cluster/kube/cluster.libsonnet
@@ -80,7 +80,6 @@
                         "pods",
                         "configmaps",
                         "services",
-                        "rolebindings",
                     ],
                     verbs: ["list"],
                 },
@@ -106,7 +105,17 @@
                         "ingresses",
                     ],
                     verbs: ["list"],
-                }
+                },
+                {
+                    apiGroups: ["rbac.authorization.k8s.io"],
+                    resources: [
+                        "clusterroles",
+                        "roles",
+                        "clusterrolebindings",
+                        "rolebindings",
+                    ],
+                    verbs: ["list", "get"],
+                },
             ],
         },
         // This ClusterRole is applied (scoped to personal namespace) to all humans.
@@ -132,6 +141,11 @@
                     resources: ["certificates"],
                     verbs: ["*"],
                 },
+                {
+                    apiGroups: ["networking.k8s.io"],
+                    resources: ["networkpolicies"],
+                    verbs: ["list", "get"],
+                },
             ],
         },
         // This ClusterRoleBindings allows root access to cluster admins.