Commit 170f2ed2 authored by Adam Harrison's avatar Adam Harrison
Browse files

Restrict update permissions on daemonsets

Kured only needs update permissions on its own daeemonset.
parent 152534fc
...@@ -4,10 +4,6 @@ kind: ClusterRole ...@@ -4,10 +4,6 @@ kind: ClusterRole
metadata: metadata:
name: kured name: kured
rules: rules:
# Allow kured to grab it's lock
- apiGroups: ["extensions"]
resources: ["daemonsets"]
verbs: ["get", "update"]
# Allow kured to cordon and uncordon nodes # Allow kured to cordon and uncordon nodes
- apiGroups: [""] - apiGroups: [""]
resources: ["nodes"] resources: ["nodes"]
...@@ -41,3 +37,29 @@ subjects: ...@@ -41,3 +37,29 @@ subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kured name: kured
namespace: kube-system namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: kube-system
name: kured
rules:
# Allow kured to lock/unlock itself
- apiGroups: ["extensions"]
resources: ["daemonsets"]
resourceNames: ["kured"]
verbs: ["update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
namespace: kube-system
name: kured
subjects:
- kind: ServiceAccount
namespace: kube-system
name: kured
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kured
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment