rootsongjc
/
kubernetes-handbook
mirror of https://github.com/rootsongjc/kubernetes-handbook.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kubernetes-handbook/manifests/istio/istio-rbac-beta.yaml

113 lines
3.1 KiB
YAML
Raw Normal View History

增加安装istio的文章
2017-06-01 20:18:05 +08:00
# Permissions and roles for istio
# To debug: start the cluster with -vmodule=rbac,3 to enable verbose logging on RBAC DENY
# Also helps to enable logging on apiserver 'wrap' to see the URLs.
# Each RBAC deny needs to be mapped into a rule for the role.
# If using minikube, start with '--extra-config=apiserver.Authorization.Mode=RBAC'
#
# NOTE: If deploying istio to a namespace other than 'default' then change the
# ClusterRoleBinding namspace target appropriately.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-manager
rules:
- apiGroups: ["istio.io"]
resources: ["istioconfigs", "istioconfigs.istio.io"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "thirdpartyresources.extensions", "ingresses", "ingresses/status"]
verbs: ["*"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "pods", "services"]
verbs: ["*"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-ca
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "watch", "list", "update"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["watch", "list"]
---
# Permissions for the sidecar proxy.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-sidecar
rules:
- apiGroups: ["istio.io"]
resources: ["istioconfigs"]
verbs: ["get", "watch", "list"]
- apiGroups: ["extensions"]
resources: ["thirdpartyresources", "ingresses"]
verbs: ["get", "watch", "list", "update"]
- apiGroups: [""]
resources: ["configmaps", "pods", "endpoints", "services"]
verbs: ["get", "watch", "list"]
---
# Grant permissions to the Manager/discovery.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-manager-admin-role-binding
subjects:
- kind: ServiceAccount
name: istio-manager-service-account
namespace: default
roleRef:
kind: ClusterRole
name: istio-manager
apiGroup: rbac.authorization.k8s.io
---
# Grant permissions to the Manager/discovery.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-ca-role-binding
subjects:
- kind: ServiceAccount
name: istio-ca-service-account
namespace: default
roleRef:
kind: ClusterRole
name: istio-ca
apiGroup: rbac.authorization.k8s.io
---
# Grant permissions to the Ingress controller.
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-ingress-admin-role-binding
subjects:
- kind: ServiceAccount
name: istio-ingress-service-account
namespace: default
roleRef:
kind: ClusterRole
name: istio-manager
apiGroup: rbac.authorization.k8s.io
---
# Grant permissions to the sidecar.
# TEMPORARY: the istioctl should generate a separate service account for the proxy, and permission
# granted only to that account !
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: istio-sidecar-role-binding
subjects:
- kind: ServiceAccount
name: default
namespace: default
roleRef:
kind: ClusterRole
name: istio-sidecar
apiGroup: rbac.authorization.k8s.io
---