blob: 20e4e7c0fac870c81735f603d0bf91d331616964 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
#
# Create service account / role / role-binding:
# oc -n my-namespace apply -f service-account.yml
#
# Obtain API token and CA cert:
#
# $ SECRET_NAME=$(oc -n my-namespace get sa awx -o json | jq -r '.secrets[0].name')
# $ oc -n my-namespace get secret $SECRET_NAME -o json | jq -r '.data["token"] | @base64d'
# $ oc -n my-namespace get secret $SECRET_NAME -o json | jq -r '.data["ca.crt"] | @base64d'
#
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: awx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-manager
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: awx-pod-manager
subjects:
- kind: ServiceAccount
name: awx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-manager
|
