jenkins: Restrict role permissions

Jenkins doesn't really need full control of all resources in its namespace. Rather, it only needs to be able to manage Pod and PersistentVolumeClaim resources.
2022-11-14 20:08:04 -06:00
parent 668b5bf5a9
commit 19ad5023b8
1 changed files with 19 additions and 2 deletions
--- a/jenkins/jenkins.yaml
+++ b/jenkins/jenkins.yaml
@@ -2,6 +2,23 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: jenkins
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: jenkins
+  namespace: jenkins
+rules:
+- apiGroups:
+  - ''
+  resources:
+  - persistentvolumeclaims
+  - pods
+  - pods/exec
+  verbs:
+  - '*'
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -10,8 +27,8 @@ metadata:
  namespace: jenkins
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: edit
+  kind: Role
+  name: jenkins
 subjects:
 - apiGroup: rbac.authorization.k8s.io
  kind: User