diff options
author | Staffan Olsson <staffan@repos.se> | 2017-08-05 05:28:56 +0200 |
---|---|---|
committer | Staffan Olsson <staffan@repos.se> | 2017-08-05 05:47:29 +0200 |
commit | 7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d (patch) | |
tree | 541506687c94489b24f75f2f1892f0313ae9be9c | |
parent | a8db336c1a03d01e8aacd4f811bebc5ab9542b26 (diff) | |
download | kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.tar.gz kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.tar.bz2 kubernetes-kafka-7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d.zip |
RBAC rights are purely additive so ...
a project like kubernetes-kafka should keep them minimal.
To access nodes we do need ClusterRole instead of Role.
-rw-r--r-- | rbac-namespace-default/node-reader.yml | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml new file mode 100644 index 0000000..5054182 --- /dev/null +++ b/rbac-namespace-default/node-reader.yml @@ -0,0 +1,26 @@ +# For kubectl get node, required for kafka init container rack awareness +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: node-reader +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kafka-node-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-reader +subjects: +- kind: ServiceAccount + name: default + namespace: kafka |