add readonly user for k8s dashboard [ci skip]

2024-01-21 04:15:09 +00:00 · 2024-01-21 04:15:09 +00:00 · 37a54452b7
commit 37a54452b7
parent bffab3201a
1 changed files with 109 additions and 0 deletions
--- a/modules/kubernetes/k8s-dashboard/main.tf
+++ b/modules/kubernetes/k8s-dashboard/main.tf
@ -153,3 +153,112 @@ resource "kubernetes_cluster_role_binding" "kubernetes-dashboard" {
 #   }
 #   depends_on = [module.dashboard]
 # }
+
+
+## Readonly RBAC
+resource "kubernetes_cluster_role" "kubernetes-dashboard-viewonly" {
+  metadata {
+    name = "kubernetes-dashboard-viewonly"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["configmaps", "endpoints", "persistentvolumeclaims", "pods", "replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts", "services", "nodes", "persistentvolumeclaims", "persistentvolumes"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["bindings", "events", "limitranges", "namespaces/status", "pods/log", "pods/status", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["namespaces"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["apps"]
+    resources  = ["daemonsets", "deployments", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["autoscaling"]
+    resources  = ["horizontalpodautoscalers"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["batch"]
+    resources  = ["cronjobs", "jobs"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["extensions"]
+    resources  = ["daemonsets", "deployments", "deployments/scale", "ingresses", "networkpolicies", "replicasets", "replicasets/scale", "replicationcontrollers/scale"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["policy"]
+    resources  = ["poddisruptionbudgets"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["networking.k8s.io"]
+    resources  = ["networkpolicies"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["storage.k8s.io"]
+    resources  = ["storageclasses", "volumeattachments"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["rbac.authorization.k8s.io"]
+    resources  = ["clusterrolebindings", "clusterroles", "roles", "rolebindings"]
+    verbs      = ["get", "list", "watch"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding" "kubernetes-dashboard-viewonly" {
+  metadata {
+    name = "kubernetes-dashboard-viewonly"
+  }
+
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "kubernetes-dashboard-viewonly"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "kubernetes-dashboard-viewonly"
+    namespace = "kubernetes-dashboard"
+  }
+}
+
+resource "kubernetes_service_account" "kubernetes-dashboard-viewonly" {
+  metadata {
+    name      = "kubernetes-dashboard-viewonly"
+    namespace = "kubernetes-dashboard"
+  }
+}
+
+resource "kubernetes_secret" "kubernetes-dashboard-viewonly-token" {
+  metadata {
+    name      = "kubernetes-dashboard-viewonly"
+    namespace = "kubernetes-dashboard"
+    annotations = {
+      "kubernetes.io/service-account.name" : "kubernetes-dashboard-viewonly"
+    }
+  }
+  type = "kubernetes.io/service-account-token"
+}