How to use the @pulumi/kubernetes.rbac function in @pulumi/kubernetes
To help you get started, we’ve selected a few @pulumi/kubernetes examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
pulumi / kubernetes-guides / general-cluster-services / datadog-daemonset / index.ts View on Github 
},
{ // Kubelet connectivity
apiGroups: [""],
resources: ["nodes/metrics", "nodes/spec", "nodes/proxy"],
verbs: ["get"],
},
{ // To get info and statuses.
nonResourceURLs: [ "/version", "/healthz"],
verbs: ["get"],
},
],
}, {provider: provider},
);
// Create a RoleBinding for DataDog to work with resources.
const ddClusterRoleBinding = new k8s.rbac.v1.ClusterRoleBinding(appName,
{
subjects: [
{
kind: "ServiceAccount",
name: ddServiceAccount.metadata.name,
namespace: config.appSvcsNamespaceName,
},
],
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: ddClusterRole.metadata.name,
},
}, {provider: provider},
)apiGroups: ["rbac.authorization.k8s.io"],
resources: ["clusterrole", "clusterrolebinding", "role", "rolebinding"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: ["extensions", "apps"],
resources: ["replicasets", "deployments"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
],
},
{ provider: cluster.provider },
);
// Bind the `pulumi:devs` RBAC group to the new, limited role.
const devsGroupRoleBinding = new k8s.rbac.v1.RoleBinding(`pulumi-devs-${index}`,
{
metadata: { namespace: roleNs },
subjects: [{
kind: "Group",
name: "pulumi:devs",
}],
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "Role",
name: devsGroupRole.metadata.name,
},
}, { provider: cluster.provider });
});cpu: "20",
memory: "1Gi",
pods: "10",
replicationcontrollers: "20",
resourcequotas: "1",
services: "5",
},
},
},
{
provider: provider,
},
);
// Create a limited role for the `pulumi:devs` to use in the apps namespace.
const devsGroupRole = new k8s.rbac.v1.Role(`pulumi-devs`,
{
metadata: { namespace: appsNamespaceName },
rules: [
{
apiGroups: [""],
resources: ["configmap", "pods", "secrets", "services", "persistentvolumeclaims"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: ["rbac.authorization.k8s.io"],
resources: ["clusterrole", "clusterrolebinding", "role", "rolebinding"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: ["extensions", "apps"],
resources: ["replicasets", "deployments"],}).ipAddress;
// Export the cluster details.
export const kubeconfig = cluster.kubeConfigRaw;
export const kubeconfigAdmin = cluster.kubeAdminConfigRaw;
export const clusterId = cluster.id;
export const clusterName = cluster.name;
export const clusterResourceGroup = cluster.nodeResourceGroup;
// Define a k8s provider instance of the cluster.
// Use admin config to get enough permissions for role binding.
const provider = new k8s.Provider(`${name}-aks`, {
kubeconfig: cluster.kubeAdminConfigRaw,
});
const adminRole = new k8s.rbac.v1.ClusterRoleBinding("pulumi-admins", {
subjects: [{
apiGroup: "rbac.authorization.k8s.io",
kind: "Group",
name: config.adGroupAdmins,
}],
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "cluster-admin",
},
}, { provider });
// Create Kubernetes namespaces.
const clusterSvcsNamespace = new k8s.core.v1.Namespace("cluster-svcs", undefined, { provider, dependsOn: [adminRole] });
export const clusterSvcsNamespaceName = clusterSvcsNamespace.metadata.name;metadata: { name: "allow-restricted-apps" },
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: restrictiveClusterRole.metadata.name
},
subjects: [{
kind: "User",
name: `${devsAccountId}@${project}.iam.gserviceaccount.com`,
namespace: appsNamespaceName
}],
})});
// Create a ClusterRoleBinding for the SeviceAccounts of Namespace ingress-nginx
// to the ClusterRole that uses the privileged PodSecurityPolicy.
const privilegedCRB = new k8s.rbac.v1.ClusterRoleBinding("privileged", {
metadata: { name: "allow-privileged-ingress-nginx" },
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "gce:podsecuritypolicy:privileged"
},
subjects: [
{
kind: "Group",
name: "system:serviceaccounts:ingress-nginx",
apiGroup: "rbac.authorization.k8s.io"
}
]
});{
metadata: {labels: appLabels},
data: {
"DD_API_KEY": config.datadogApiKey,
"DD_PROCESS_AGENT_ENABLED": "true",
"DD_LOGS_ENABLED": "true",
"DD_LOGS_CONFIG_CONTAINER_COLLECT_ALL": "true",
"DD_COLLECT_KUBERNETES_EVENTS": "true",
"DD_LEADER_ELECTION": "true",
"KUBERNETES": "true",
},
}, {provider: provider},
);
// Create a Role for DataDog to work with resources.
const ddClusterRole = new k8s.rbac.v1.ClusterRole(appName,
{
rules: [
{ // To get info, statuses, and events.
apiGroups: [""],
resources: ["services", "events", "endpoints", "pods", "nodes", "componentstatuses"],
verbs: ["get", "list", "watch"],
},
{ // To create the leader election token
apiGroups: [""],
resources: ["configmaps"],
// datadogtoken: Kubernetes event collection state
// datadog-leader-election: Leader election token
resourceNames: ["datadogtoken", "datadog-leader-election"],
verbs: ["get", "update"],
},
{ // To create the leader election tokenpath.join(__dirname, "dashboard", "heapster-rbac.yaml"),
].map(filePath => fs.readFileSync(filePath).toString());
const dashboard = new k8s.yaml.ConfigGroup(`${name}-dashboard`, {
yaml: dashboardYaml,
}, { parent: parent, providers: { kubernetes: k8sProvider } });
// Create a service account for admin access.
const adminAccount = new k8s.core.v1.ServiceAccount(`${name}-eks-admin`, {
metadata: {
name: "eks-admin",
namespace: "kube-system",
},
}, { parent: parent, provider: k8sProvider });
// Create a role binding for the admin account.
const adminRoleBinding = new k8s.rbac.v1.ClusterRoleBinding(`${name}-eks-admin`, {
metadata: {
name: "eks-admin",
},
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "cluster-admin",
},
subjects: [{
kind: "ServiceAccount",
name: "eks-admin",
namespace: "kube-system",
}],
}, { parent: parent, provider: k8sProvider });
}import { execSync } from "child_process";
import * as k8s from "@pulumi/kubernetes";
import * as config from "./config";
import { k8sProvider } from "./cluster";
const appName = "istio";
const namespace = new k8s.core.v1.Namespace(
`${appName}-system`,
{ metadata: { name: `${appName}-system` } },
{ provider: k8sProvider }
);
const adminBinding = new k8s.rbac.v1.ClusterRoleBinding(
"cluster-admin-binding",
{
metadata: { name: "cluster-admin-binding" },
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "ClusterRole",
name: "cluster-admin"
},
subjects: [
{ apiGroup: "rbac.authorization.k8s.io", kind: "User", name: config.gcpUsername }
]
},
{ provider: k8sProvider }
);
export const istio = new k8s.helm.v2.Chart(roleNamespaces.forEach((roleNs, index) => {
const devsGroupRole = new k8s.rbac.v1.Role(`pulumi-devs-${index}`,
{
metadata: { namespace: roleNs },
rules: [
{
apiGroups: [""],
resources: ["configmap", "pods", "secrets", "services", "persistentvolumeclaims"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: ["rbac.authorization.k8s.io"],
resources: ["clusterrole", "clusterrolebinding", "role", "rolebinding"],
verbs: ["get", "list", "watch", "create", "update", "delete"],
},
{
apiGroups: ["extensions", "apps"],
resources: ["replicasets", "deployments"],export function makeNginxClusterRole(
name: string,
args: NginxClusterRoleArgs,
): k8s.rbac.v1.ClusterRole {
return new k8s.rbac.v1.ClusterRole(
name,
{
rules: [
{
apiGroups: [""],
resources: ["configmaps", "endpoints", "nodes", "pods", "secrets"],
verbs: ["list", "watch"],
},
{
apiGroups: [""],
resources: ["nodes"],
verbs: ["get"],
},
{
apiGroups: [""],
resources: ["services"],@pulumi/kubernetes
[](https://travis-ci.com/pulumi/pulumi-kubernetes) [](https://slack.pulumi.com) [
Package Health Score
92 / 100Popular @pulumi/kubernetes functions
- @pulumi/kubernetes.apiextensions
- @pulumi/kubernetes.apps
- @pulumi/kubernetes.batch
- @pulumi/kubernetes.core
- @pulumi/kubernetes.extensions
- @pulumi/kubernetes.helm
- @pulumi/kubernetes.policy
- @pulumi/kubernetes.Provider
- @pulumi/kubernetes.rbac
- @pulumi/kubernetes.storage
- @pulumi/kubernetes.yaml
- @pulumi/kubernetes/helm.v2