jordan/rdev
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
b03c1f8028
rdev/deployments/k8s/base/rbac.yaml
jordan d63f827713
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
fix(rbac): grant woodpecker-deployer access to statefulsets 
The CI deploy step runs `kubectl set image statefulset/claudebox` but
the woodpecker-deployer Role only included `deployments`. Add
`statefulsets` to the allowed resources.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-09 19:35:28 -07:00

88 lines
2.0 KiB
YAML
Raw Blame History

# RBAC for rdev-api to exec into claudebox pods
# v0.4 - API Server
apiVersion: v1
kind: ServiceAccount
metadata:
name: rdev-api
namespace: rdev
labels:
app.kubernetes.io/name: rdev-api
app.kubernetes.io/part-of: rdev
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: rdev-api
namespace: rdev
labels:
app.kubernetes.io/name: rdev-api
app.kubernetes.io/part-of: rdev
rules:
# List and get pods (for project discovery and status)
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# Execute commands in pods
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
# Read pod logs (for debugging)
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: rdev-api
namespace: rdev
labels:
app.kubernetes.io/name: rdev-api
app.kubernetes.io/part-of: rdev
subjects:
- kind: ServiceAccount
name: rdev-api
namespace: rdev
roleRef:
kind: Role
name: rdev-api
apiGroup: rbac.authorization.k8s.io
---
# RBAC for Woodpecker CI to deploy to rdev namespace
# Allows CI service accounts to apply deployment patches and watch rollout status
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: woodpecker-deployer
namespace: rdev
labels:
app.kubernetes.io/name: woodpecker-deployer
app.kubernetes.io/part-of: rdev
rules:
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
verbs: ["get", "list", "patch", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: woodpecker-deployer
namespace: rdev
labels:
app.kubernetes.io/name: woodpecker-deployer
app.kubernetes.io/part-of: rdev
subjects:
- kind: ServiceAccount
name: default
namespace: rdev
- kind: ServiceAccount
name: default
namespace: threesix
roleRef:
kind: Role
name: woodpecker-deployer
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink