perm: give more permission to CI clusterrole

2022-05-27 11:43:06 +02:00
parent 688c57827a
commit 29065a4df8
1 changed files with 31 additions and 49 deletions
--- a/ci.tf
+++ b/ci.tf
@@ -39,17 +39,10 @@ resource "kubernetes_cluster_role" "ci_cd" {
      "pods",
      "namespaces",
      "secrets",
+      "serviceaccounts",
      "services",
    ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
  }

  rule {
@@ -58,15 +51,7 @@ resource "kubernetes_cluster_role" "ci_cd" {
      "deployments",
      "replicasets", # needed for 'helm upgrade --wait'
    ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
  }

  rule {
@@ -74,45 +59,42 @@ resource "kubernetes_cluster_role" "ci_cd" {
    resources = [
      "horizontalpodautoscalers"
    ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
  }
  rule {
    api_groups = ["networking.k8s.io"]

    resources = [
      "ingresses",
-    ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
-  }
-  rule {
-    api_groups = ["networking.k8s.io"]
-    resources = [
      "networkpolicies"
    ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["apiextensions.k8s.io"]
+    resources = [
+      "customresourcedefinitions"
    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources = [
+      "clusterrolebindings",
+      "clusterroles",
+      "rolebindings",
+      "roles",
+    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["policy"]
+    resources = [
+      "podsecuritypolicies",
+    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
  }
 }