add default rbac rules for devbox runtime and runtime class.

labring · Aug 29, 2024 · be5acfa · be5acfa
1 parent 73edbd5
commit be5acfa
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/controllers/devbox/config/manager/manager.yaml b/controllers/devbox/config/manager/manager.yaml
@@ -77,6 +77,10 @@ spec:
         args:
           - --leader-elect
           - --health-probe-bind-address=:8081
+          - --registry-addr={{ .registryAddr }}
+          - --registry-user={{ .registryUser }}
+          - --registry-password={{ .registryPassword }}
+          - --auth-addr={{ .authAddr }}
         image: controller:latest
         name: manager
         securityContext:

diff --git a/controllers/devbox/config/rbac/role_binding.yaml b/controllers/devbox/config/rbac/role_binding.yaml
@@ -27,3 +27,29 @@ subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: devbox-runtime-default-user-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: runtime-viewer-role
+subjects:
+  - kind: Group
+    name: system:serviceaccounts
+    apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: devbox-runtimeclass-default-user-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: runtimeclass-viewer-role
+subjects:
+  - kind: Group
+    name: system:serviceaccounts
+    apiGroup: rbac.authorization.k8s.io
diff --git a/controllers/devbox/deploy/manifests/deploy.yaml.tmpl b/controllers/devbox/deploy/manifests/deploy.yaml.tmpl
@@ -865,6 +865,32 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  name: devbox-devbox-runtime-default-user-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: devbox-runtime-viewer-role
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: devbox-devbox-runtimeclass-default-user-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: devbox-runtimeclass-viewer-role
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: system:serviceaccounts
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: kustomize