From 0284a0221708f751c47af7a4f5cda859d2b8d54f Mon Sep 17 00:00:00 2001 From: Thomas Tischner Date: Fri, 31 Jan 2020 14:10:03 +0100 Subject: [PATCH] Extend Clusterwide rbac roles for elastic crds Signed-off-by: Thomas Tischner --- config/operator/all-in-one/rbac.yaml | 38 ++++++++++++++++++++++++++++ config/operator/global/rbac.yaml | 38 ++++++++++++++++++++++++++++ config/operator/namespace/rbac.yaml | 38 ++++++++++++++++++++++++++++ 3 files changed, 114 insertions(+) create mode 100644 config/operator/all-in-one/rbac.yaml create mode 100644 config/operator/global/rbac.yaml create mode 100644 config/operator/namespace/rbac.yaml diff --git a/config/operator/all-in-one/rbac.yaml b/config/operator/all-in-one/rbac.yaml new file mode 100644 index 0000000000..294c416b4d --- /dev/null +++ b/config/operator/all-in-one/rbac.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-operator-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["elasticsearch.k8s.elastic.co"] + resources: ["elasticsearches"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apm.k8s.elastic.co"] + resources: ["apmservers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["kibana.k8s.elastic.co"] + resources: ["kibanas"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-operator-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["elasticsearch.k8s.elastic.co"] + resources: ["elasticsearches"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["apm.k8s.elastic.co"] + resources: ["apmservers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["kibana.k8s.elastic.co"] + resources: ["kibanas"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] diff --git a/config/operator/global/rbac.yaml b/config/operator/global/rbac.yaml new file mode 100644 index 0000000000..294c416b4d --- /dev/null +++ b/config/operator/global/rbac.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-operator-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["elasticsearch.k8s.elastic.co"] + resources: ["elasticsearches"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apm.k8s.elastic.co"] + resources: ["apmservers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["kibana.k8s.elastic.co"] + resources: ["kibanas"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-operator-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["elasticsearch.k8s.elastic.co"] + resources: ["elasticsearches"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["apm.k8s.elastic.co"] + resources: ["apmservers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["kibana.k8s.elastic.co"] + resources: ["kibanas"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] diff --git a/config/operator/namespace/rbac.yaml b/config/operator/namespace/rbac.yaml new file mode 100644 index 0000000000..294c416b4d --- /dev/null +++ b/config/operator/namespace/rbac.yaml @@ -0,0 +1,38 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-operator-view + labels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["elasticsearch.k8s.elastic.co"] + resources: ["elasticsearches"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apm.k8s.elastic.co"] + resources: ["apmservers"] + verbs: ["get", "list", "watch"] + - apiGroups: ["kibana.k8s.elastic.co"] + resources: ["kibanas"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: elastic-operator-edit + labels: + rbac.authorization.k8s.io/aggregate-to-edit: "true" + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: ["elasticsearch.k8s.elastic.co"] + resources: ["elasticsearches"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["apm.k8s.elastic.co"] + resources: ["apmservers"] + verbs: ["create", "delete", "deletecollection", "patch", "update"] + - apiGroups: ["kibana.k8s.elastic.co"] + resources: ["kibanas"] + verbs: ["create", "delete", "deletecollection", "patch", "update"]