mirror of
https://github.com/ansible/awx-operator.git
synced 2026-05-07 13:52:58 +00:00
Reduce awx-operator service account permissions
This commit is contained in:
Christian M. Adams
@@ -11,7 +11,13 @@ rules:
|
|||||||
- routes
|
- routes
|
||||||
- routes/custom-host
|
- routes/custom-host
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ""
|
- ""
|
||||||
- "rbac.authorization.k8s.io"
|
- "rbac.authorization.k8s.io"
|
||||||
@@ -28,7 +34,13 @@ rules:
|
|||||||
- roles
|
- roles
|
||||||
- rolebindings
|
- rolebindings
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- apps
|
- apps
|
||||||
- networking.k8s.io
|
- networking.k8s.io
|
||||||
@@ -39,7 +51,13 @@ rules:
|
|||||||
- statefulsets
|
- statefulsets
|
||||||
- ingresses
|
- ingresses
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- monitoring.coreos.com
|
- monitoring.coreos.com
|
||||||
resources:
|
resources:
|
||||||
@@ -66,6 +84,8 @@ rules:
|
|||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
- pods/exec
|
- pods/exec
|
||||||
|
- pods/attach
|
||||||
|
- pods/log # log & attach rules needed to be able to grant them to AWX service account
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
- get
|
- get
|
||||||
@@ -75,6 +95,8 @@ rules:
|
|||||||
- replicasets
|
- replicasets
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- awx.ansible.com
|
- awx.ansible.com
|
||||||
resources:
|
resources:
|
||||||
|
|||||||
@@ -621,7 +621,13 @@ rules:
|
|||||||
- routes
|
- routes
|
||||||
- routes/custom-host
|
- routes/custom-host
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ""
|
- ""
|
||||||
- "rbac.authorization.k8s.io"
|
- "rbac.authorization.k8s.io"
|
||||||
@@ -638,7 +644,13 @@ rules:
|
|||||||
- roles
|
- roles
|
||||||
- rolebindings
|
- rolebindings
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- apps
|
- apps
|
||||||
- networking.k8s.io
|
- networking.k8s.io
|
||||||
@@ -649,7 +661,13 @@ rules:
|
|||||||
- statefulsets
|
- statefulsets
|
||||||
- ingresses
|
- ingresses
|
||||||
verbs:
|
verbs:
|
||||||
- '*'
|
- get
|
||||||
|
- list
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- monitoring.coreos.com
|
- monitoring.coreos.com
|
||||||
resources:
|
resources:
|
||||||
@@ -676,6 +694,8 @@ rules:
|
|||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
- pods/exec
|
- pods/exec
|
||||||
|
- pods/attach
|
||||||
|
- pods/log # log & attach rules needed to be able to grant them to AWX service account
|
||||||
verbs:
|
verbs:
|
||||||
- create
|
- create
|
||||||
- get
|
- get
|
||||||
@@ -685,6 +705,8 @@ rules:
|
|||||||
- replicasets
|
- replicasets
|
||||||
verbs:
|
verbs:
|
||||||
- get
|
- get
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- awx.ansible.com
|
- awx.ansible.com
|
||||||
resources:
|
resources:
|
||||||
|
|||||||
Reference in New Issue
Block a user