From b5b4d705cbe1e2ab642c773a203606345caff446 Mon Sep 17 00:00:00 2001 From: allard Date: Wed, 3 Dec 2025 11:20:20 +0100 Subject: [PATCH] change --- dev/backstage/service-account.yaml | 51 ++++++++++++++++++++++++------ 1 file changed, 41 insertions(+), 10 deletions(-) diff --git a/dev/backstage/service-account.yaml b/dev/backstage/service-account.yaml index 4730e4c..ccff891 100644 --- a/dev/backstage/service-account.yaml +++ b/dev/backstage/service-account.yaml @@ -5,28 +5,59 @@ metadata: namespace: backstage --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: - name: backstage - namespace: backstage + name: backstage-k8s-reader rules: + # Core API group - apiGroups: [""] - resources: ["pods", "services", "configmaps", "endpoints", "secrets"] + resources: + - pods + - services + - configmaps + - endpoints + - resourcequotas + - limitranges + - namespaces verbs: ["get", "list", "watch"] + + # Apps - apiGroups: ["apps"] - resources: ["deployments", "replicasets", "statefulsets"] + resources: + - deployments + - statefulsets + - daemonsets + - replicasets + verbs: ["get", "list", "watch"] + + # Batch + - apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: ["get", "list", "watch"] + + # Autoscaling + - apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["get", "list", "watch"] + + # Networking + - apiGroups: ["networking.k8s.io"] + resources: + - ingresses verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: - name: backstage - namespace: backstage + name: backstage-k8s-reader-binding subjects: - kind: ServiceAccount name: backstage namespace: backstage roleRef: - kind: Role - name: backstage + kind: ClusterRole + name: backstage-k8s-reader apiGroup: rbac.authorization.k8s.io