# 限制helm应用只允许部署在指定namespace # 可以配合NetworkPolicy等实现namespace间网络完全隔离 --- apiVersion: v1 kind: Namespace metadata: name: {{ helm_namespace }} --- apiVersion: v1 kind: ServiceAccount metadata: name: {{ tiller_sa }} namespace: {{ helm_namespace }} --- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tiller-manager namespace: {{ helm_namespace }} rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"] --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tiller-binding namespace: {{ helm_namespace }} subjects: - kind: ServiceAccount name: {{ tiller_sa }} namespace: {{ helm_namespace }} roleRef: kind: Role name: tiller-manager apiGroup: rbac.authorization.k8s.io --- # kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tiller-cluster-manager rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: - clusterroles - clusterrolebindings verbs: ["*"] --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: tiller-cluster-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tiller-cluster-manager subjects: - kind: ServiceAccount name: {{ tiller_sa }} namespace: {{ helm_namespace }}