From 29065a4df85a7e05e952930da5b1189c296df6c8 Mon Sep 17 00:00:00 2001
From: Tamas Kiss <kiss.tamas94@gmail.com>
Date: Fri, 27 May 2022 11:43:06 +0200
Subject: [PATCH] perm: give more permission to CI clusterrole

---
 ci.tf | 80 +++++++++++++++++++++++------------------------------------
 1 file changed, 31 insertions(+), 49 deletions(-)

diff --git a/ci.tf b/ci.tf
index a70da15..d40ce8d 100644
--- a/ci.tf
+++ b/ci.tf
@@ -39,17 +39,10 @@ resource "kubernetes_cluster_role" "ci_cd" {
       "pods",
       "namespaces",
       "secrets",
+      "serviceaccounts",
       "services",
     ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
   }
 
   rule {
@@ -58,15 +51,7 @@ resource "kubernetes_cluster_role" "ci_cd" {
       "deployments",
       "replicasets", # needed for 'helm upgrade --wait'
     ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
   }
 
   rule {
@@ -74,45 +59,42 @@ resource "kubernetes_cluster_role" "ci_cd" {
     resources = [
       "horizontalpodautoscalers"
     ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
   }
   rule {
     api_groups = ["networking.k8s.io"]
 
     resources = [
       "ingresses",
-    ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
-    ]
-  }
-  rule {
-    api_groups = ["networking.k8s.io"]
-    resources = [
       "networkpolicies"
     ]
-    verbs = [
-      "create",
-      "delete",
-      "get",
-      "list",
-      "patch",
-      "update",
-      "watch",
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["apiextensions.k8s.io"]
+    resources = [
+      "customresourcedefinitions"
     ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources = [
+      "clusterrolebindings",
+      "clusterroles",
+      "rolebindings",
+      "roles",
+    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
+  }
+
+  rule {
+    api_groups = ["policy"]
+    resources = [
+      "podsecuritypolicies",
+    ]
+    verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
   }
 }