95 lines
2.5 KiB
YAML
95 lines
2.5 KiB
YAML
{{- if .Values.serviceAccount.create -}}
|
|
# WARNING: This ClusterRole grants broad read + exec access across the cluster.
|
|
# It is intentionally permissive for lab/troubleshooting use.
|
|
# Review and restrict these permissions before using in a production environment.
|
|
#
|
|
# Future auth integration note:
|
|
# When oauth2-proxy is added in front of ttyd, consider scoping this role
|
|
# further to match the actual user's identity or group permissions.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: {{ include "ttyd.fullname" . }}
|
|
labels:
|
|
{{- include "ttyd.labels" . | nindent 4 }}
|
|
rules:
|
|
# Core workload resources — read + basic management for kubectl troubleshooting
|
|
- apiGroups: [""]
|
|
resources:
|
|
- pods
|
|
- pods/log
|
|
- services
|
|
- endpoints
|
|
- configmaps
|
|
- secrets # WARNING: includes secret read access; tighten in production
|
|
- events
|
|
- namespaces
|
|
- nodes
|
|
- persistentvolumeclaims
|
|
- persistentvolumes
|
|
- replicationcontrollers
|
|
- serviceaccounts
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
# Pod exec and log streaming (needed for `kubectl exec` and `kubectl logs -f`)
|
|
- apiGroups: [""]
|
|
resources:
|
|
- pods/exec
|
|
- pods/attach
|
|
- pods/portforward
|
|
verbs: ["create"]
|
|
|
|
# Pod and service management (basic ops for lab use)
|
|
- apiGroups: [""]
|
|
resources:
|
|
- pods
|
|
- services
|
|
- configmaps
|
|
verbs: ["delete", "patch", "update"]
|
|
|
|
# Apps resources
|
|
- apiGroups: ["apps"]
|
|
resources:
|
|
- deployments
|
|
- replicasets
|
|
- statefulsets
|
|
- daemonsets
|
|
verbs: ["get", "list", "watch", "patch", "delete"]
|
|
|
|
# Batch resources
|
|
- apiGroups: ["batch"]
|
|
resources:
|
|
- jobs
|
|
- cronjobs
|
|
verbs: ["get", "list", "watch", "delete"]
|
|
|
|
# Networking resources
|
|
- apiGroups: ["networking.k8s.io"]
|
|
resources:
|
|
- ingresses
|
|
- ingressclasses
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
# RBAC resources (read-only, for inspection purposes)
|
|
- apiGroups: ["rbac.authorization.k8s.io"]
|
|
resources:
|
|
- roles
|
|
- rolebindings
|
|
- clusterroles
|
|
- clusterrolebindings
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
# Storage classes (read-only)
|
|
- apiGroups: ["storage.k8s.io"]
|
|
resources:
|
|
- storageclasses
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
# Metrics (optional, useful for `kubectl top`)
|
|
- apiGroups: ["metrics.k8s.io"]
|
|
resources:
|
|
- pods
|
|
- nodes
|
|
verbs: ["get", "list", "watch"]
|
|
{{- end }}
|