104 lines
2.3 KiB
HCL
104 lines
2.3 KiB
HCL
resource "kubernetes_service_account" "terraform_ci_cd" {
|
|
metadata {
|
|
namespace = "kube-system"
|
|
name = "terraform-ci-cd"
|
|
}
|
|
automount_service_account_token = false
|
|
}
|
|
|
|
|
|
resource "kubernetes_cluster_role_binding" "terraform_ci_is_a_ci" {
|
|
|
|
metadata {
|
|
name = "terraform-ci-cd-is-a-ci-cd"
|
|
}
|
|
role_ref {
|
|
api_group = "rbac.authorization.k8s.io"
|
|
kind = "ClusterRole"
|
|
name = kubernetes_cluster_role.ci_cd.metadata.0.name
|
|
}
|
|
subject {
|
|
kind = "ServiceAccount"
|
|
name = kubernetes_service_account.terraform_ci_cd.metadata.0.name
|
|
namespace = kubernetes_service_account.terraform_ci_cd.metadata.0.namespace
|
|
}
|
|
}
|
|
|
|
resource "kubernetes_cluster_role" "ci_cd" {
|
|
metadata {
|
|
name = "ci-cd"
|
|
}
|
|
|
|
|
|
rule {
|
|
api_groups = [""]
|
|
resources = [
|
|
"configmaps",
|
|
"persistentvolumes",
|
|
"persistentvolumeclaims",
|
|
"pods",
|
|
"namespaces",
|
|
"nodes",
|
|
"secrets",
|
|
"serviceaccounts",
|
|
"services",
|
|
]
|
|
verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
|
|
}
|
|
|
|
rule {
|
|
api_groups = ["apps"]
|
|
resources = [
|
|
"daemonsets",
|
|
"deployments",
|
|
"replicasets", # needed for 'helm upgrade --wait'
|
|
"statefulsets",
|
|
]
|
|
verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
|
|
}
|
|
|
|
rule {
|
|
api_groups = ["autoscaling"]
|
|
resources = [
|
|
"horizontalpodautoscalers"
|
|
]
|
|
verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
|
|
}
|
|
rule {
|
|
api_groups = ["networking.k8s.io"]
|
|
|
|
resources = [
|
|
"ingresses",
|
|
"networkpolicies"
|
|
]
|
|
verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
|
|
}
|
|
|
|
rule {
|
|
api_groups = ["apiextensions.k8s.io"]
|
|
resources = [
|
|
"customresourcedefinitions"
|
|
]
|
|
verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
|
|
}
|
|
|
|
rule {
|
|
api_groups = ["rbac.authorization.k8s.io"]
|
|
resources = [
|
|
"clusterrolebindings",
|
|
"clusterroles",
|
|
"rolebindings",
|
|
"roles",
|
|
]
|
|
verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
|
|
}
|
|
|
|
rule {
|
|
api_groups = ["policy"]
|
|
resources = [
|
|
"podsecuritypolicies",
|
|
]
|
|
verbs = ["create", "delete", "get", "list", "patch", "update", "watch"]
|
|
}
|
|
}
|