132 lines
3.5 KiB
YAML
132 lines
3.5 KiB
YAML
# =========================================================
|
|
# ClusterRole: Infra Deployer
|
|
#
|
|
# Used by:
|
|
# - GitHub ARC runners
|
|
# - Infrastructure deployment workflows
|
|
#
|
|
# Allows managing:
|
|
# - Postgres
|
|
# - Jobs / CronJobs (migrations, backups)
|
|
# - Traefik resources
|
|
# - Storage primitives
|
|
#
|
|
# Extend this file when infra needs grow.
|
|
# =========================================================
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRole
|
|
metadata:
|
|
name: infra-deployer-role
|
|
rules:
|
|
|
|
# -----------------------------------------------------
|
|
# Core Kubernetes resources
|
|
# -----------------------------------------------------
|
|
- apiGroups: [""]
|
|
resources:
|
|
- pods
|
|
- services
|
|
- endpoints
|
|
- configmaps
|
|
- secrets
|
|
- namespaces
|
|
- serviceaccounts
|
|
- persistentvolumes
|
|
- persistentvolumeclaims
|
|
- nodes
|
|
verbs: ["*"]
|
|
|
|
# -----------------------------------------------------
|
|
# Apps (Deployments, StatefulSets, etc.)
|
|
# -----------------------------------------------------
|
|
- apiGroups: ["apps"]
|
|
resources:
|
|
- deployments
|
|
- statefulsets
|
|
- daemonsets
|
|
- replicasets
|
|
verbs: ["*"]
|
|
|
|
# -----------------------------------------------------
|
|
# Batch workloads (THIS FIXES YOUR ISSUE)
|
|
# Jobs + CronJobs for:
|
|
# - DB backups
|
|
# - Atlas migrations
|
|
# -----------------------------------------------------
|
|
- apiGroups: ["batch"]
|
|
resources:
|
|
- jobs
|
|
- cronjobs
|
|
verbs: ["*"]
|
|
|
|
# -----------------------------------------------------
|
|
# Networking & Ingress
|
|
# -----------------------------------------------------
|
|
- apiGroups: ["networking.k8s.io", "extensions"]
|
|
resources:
|
|
- ingresses
|
|
- ingressclasses
|
|
verbs: ["*"]
|
|
|
|
# -----------------------------------------------------
|
|
# Traefik CRDs (v1 + v2)
|
|
# -----------------------------------------------------
|
|
- apiGroups: ["traefik.containo.us"]
|
|
resources: ["*"]
|
|
verbs: ["*"]
|
|
|
|
- apiGroups: ["traefik.io"]
|
|
resources:
|
|
- ingressroutes
|
|
- ingressroutetcps
|
|
- ingressrouteudps
|
|
- middlewares
|
|
- middlewaretcps
|
|
- traefikservices
|
|
- tlsoptions
|
|
- tlsstores
|
|
- serverstransports
|
|
verbs: ["*"]
|
|
|
|
# -----------------------------------------------------
|
|
# CRD management (required for Traefik & others)
|
|
# -----------------------------------------------------
|
|
- apiGroups: ["apiextensions.k8s.io"]
|
|
resources:
|
|
- customresourcedefinitions
|
|
verbs: ["*"]
|
|
|
|
---
|
|
# =========================================================
|
|
# ClusterRoleBinding: Bind Infra Deployer to ARC runners
|
|
# =========================================================
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: infra-deployer-binding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: infra-deployer-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: mealcraft-runners-gha-rs-no-permission
|
|
namespace: arc-systems
|
|
|
|
---
|
|
# =========================================================
|
|
# ClusterRoleBinding: Bind same role to Traefik
|
|
# (Traefik needs wide read/watch permissions)
|
|
# =========================================================
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: infra-deployer-traefik-binding
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: infra-deployer-role
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: traefik-ingress-controller
|
|
namespace: default
|