forked from TrueCloudLab/certificates
36 lines
944 B
YAML
36 lines
944 B
YAML
# Create a ClusterRole for managing autocert secrets, which should
|
|
# only exist in namespaces with autocert enabled and should always
|
|
# be labeled `autocert.step.sm/token: true`.
|
|
#
|
|
# To create this ClusterRole you need cluster-admin privileges. On
|
|
# GKE you can give yourself cluster-admin privileges using the
|
|
# following command:
|
|
#
|
|
# kubectl create clusterrolebinding cluster-admin-binding \
|
|
# --clusterrole cluster-admin \
|
|
# --user $(gcloud config get-value account)
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: autocert-secret-management
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["create", "delete"]
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: autocert-secret-management
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: autocert-secret-management
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: step
|
|
|