Skip to content

Commit f980673

Browse files
laveryalaverya
committed
add no statusInformer minimal RBAC example
1 parent 2ada912 commit f980673

File tree

1 file changed

+98
-1
lines changed

1 file changed

+98
-1
lines changed

docs/vendor/replicated-sdk-customizing.md

Lines changed: 98 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -285,6 +285,103 @@ replicated:
285285
If statusInformers are not set manually, this RBAC role will include permissions to `get`, `list`, and `watch` all secrets, deployments, statefulsets, daemonsets, services, ingresses, PVCs, pods, replicasets, and endpoints within the namespace.
286286
This allows Replicated to discover the Helm chart secret for your application, parse it to determine what resources to monitor, and then monitor those resources.
287287

288+
```yaml
289+
# Generated RBAC role with no statusInformers
290+
291+
apiVersion: rbac.authorization.k8s.io/v1
292+
kind: Role
293+
metadata:
294+
name: replicated-role
295+
rules:
296+
- apiGroups:
297+
- ""
298+
resources:
299+
- secrets
300+
verbs:
301+
- create
302+
- apiGroups:
303+
- ""
304+
resourceNames:
305+
- replicated
306+
- replicated-instance-report
307+
- replicated-custom-app-metrics-report
308+
- replicated-meta-data
309+
resources:
310+
- secrets
311+
verbs:
312+
- update
313+
- apiGroups:
314+
- apps
315+
resourceNames:
316+
- replicated
317+
resources:
318+
- deployments
319+
verbs:
320+
- get
321+
- apiGroups:
322+
- apps
323+
resources:
324+
- replicasets
325+
verbs:
326+
- get
327+
- apiGroups:
328+
- ""
329+
resources:
330+
- pods
331+
verbs:
332+
- get
333+
- apiGroups:
334+
- ""
335+
resourceNames:
336+
- replicated
337+
resources:
338+
- secrets
339+
verbs:
340+
- get
341+
- apiGroups:
342+
- ""
343+
resources:
344+
- secrets
345+
verbs:
346+
- get
347+
- list
348+
- apiGroups:
349+
- apps
350+
resources:
351+
- deployments
352+
- replicasets
353+
- statefulsets
354+
- daemonsets
355+
verbs:
356+
- get
357+
- list
358+
- watch
359+
- apiGroups:
360+
- ""
361+
resources:
362+
- services
363+
- endpoints
364+
- persistentvolumeclaims
365+
verbs:
366+
- get
367+
- list
368+
- watch
369+
- apiGroups:
370+
- networking.k8s.io
371+
resources:
372+
- ingresses
373+
verbs:
374+
- get
375+
- list
376+
- watch
377+
- apiGroups:
378+
- ""
379+
resources:
380+
- pods
381+
verbs:
382+
- list
383+
```
384+
288385
If statusInformers are set manually, then the generated role will not be created with the ability to access all secrets, and other resources will be specified by name when possible.
289386
An example statusInformer configuration and generated role is presented below.
290387

@@ -301,7 +398,7 @@ replicated:
301398
```
302399

303400
```yaml
304-
# Generated RBAC role
401+
# Generated RBAC role with deployment/replicated, deployment/myapp, service/replicated and service/myapp statusinformers
305402
306403
apiVersion: rbac.authorization.k8s.io/v1
307404
kind: Role

0 commit comments

Comments
 (0)