more pod perms

hyperledger · Jul 26, 2023 · 149932f · 149932f
1 parent 034c621
commit 149932f
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/infrastructure/charts/agent/templates/vaultstandalone.yaml b/infrastructure/charts/agent/templates/vaultstandalone.yaml
@@ -29,6 +29,44 @@ roleRef:
   name: secrets-reader # this must match the name of the Role or ClusterRole you wish to bind to
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: read-pods
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: User
+  name: vault # "name" is case sensitive
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role #this must be Role or ClusterRole
+  name: secrets-reader # this must match the name of the Role or ClusterRole you wish to bind to
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: {{ .Release.Namespace }}
+  name: pods-reader
+rules:
+- apiGroups: [""] # "" indicates the core API group
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: read-pods
+  namespace: {{ .Release.Namespace }}
+subjects:
+- kind: User
+  name: vault
+  apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: Role
+  name: pods-reader
+  apiGroup: rbac.authorization.k8s.io
+---
 apiVersion: "vault.banzaicloud.com/v1alpha1"
 kind: "Vault"
 metadata: