70143fa1cd
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Woodpecker CI was timing out when watching deployment rollout status due to missing RBAC permissions. The deployments were succeeding but CI couldn't verify completion. Changes: - Add 'watch' verb to woodpecker-deployer Role - Add threesix/default service account to RoleBinding - Consolidate woodpecker-deployer RBAC into base/rbac.yaml This resolves the "Failed to watch: deployments.apps is forbidden" errors in CI logs while maintaining successful deployment rollouts. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
88 lines
1.9 KiB
YAML
88 lines
1.9 KiB
YAML
# RBAC for rdev-api to exec into claudebox pods
|
|
# v0.4 - API Server
|
|
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: rdev-api
|
|
namespace: rdev
|
|
labels:
|
|
app.kubernetes.io/name: rdev-api
|
|
app.kubernetes.io/part-of: rdev
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: rdev-api
|
|
namespace: rdev
|
|
labels:
|
|
app.kubernetes.io/name: rdev-api
|
|
app.kubernetes.io/part-of: rdev
|
|
rules:
|
|
# List and get pods (for project discovery and status)
|
|
- apiGroups: [""]
|
|
resources: ["pods"]
|
|
verbs: ["get", "list", "watch"]
|
|
|
|
# Execute commands in pods
|
|
- apiGroups: [""]
|
|
resources: ["pods/exec"]
|
|
verbs: ["create"]
|
|
|
|
# Read pod logs (for debugging)
|
|
- apiGroups: [""]
|
|
resources: ["pods/log"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: rdev-api
|
|
namespace: rdev
|
|
labels:
|
|
app.kubernetes.io/name: rdev-api
|
|
app.kubernetes.io/part-of: rdev
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: rdev-api
|
|
namespace: rdev
|
|
roleRef:
|
|
kind: Role
|
|
name: rdev-api
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
# RBAC for Woodpecker CI to deploy to rdev namespace
|
|
# Allows CI service accounts to apply deployment patches and watch rollout status
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: woodpecker-deployer
|
|
namespace: rdev
|
|
labels:
|
|
app.kubernetes.io/name: woodpecker-deployer
|
|
app.kubernetes.io/part-of: rdev
|
|
rules:
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "patch", "watch"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: woodpecker-deployer
|
|
namespace: rdev
|
|
labels:
|
|
app.kubernetes.io/name: woodpecker-deployer
|
|
app.kubernetes.io/part-of: rdev
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: rdev
|
|
- kind: ServiceAccount
|
|
name: default
|
|
namespace: threesix
|
|
roleRef:
|
|
kind: Role
|
|
name: woodpecker-deployer
|
|
apiGroup: rbac.authorization.k8s.io
|