Skip to content

Commit b02adcc

Browse files
committed
feat: add Karmada RBAC for compute manager
Add ClusterRole and ClusterRoleBinding granting the compute-manager service account the permissions it needs to manage federated workload deployments via Karmada. Key permissions granted: - Full CRUD on compute.datumapis.com workload and instance resources - Full CRUD on Karmada PropagationPolicy resources - Read-only access to Karmada cluster, resource binding, and interpreter configuration resources
1 parent c4fbdf1 commit b02adcc

2 files changed

Lines changed: 37 additions & 0 deletions

File tree

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
apiVersion: kustomize.config.k8s.io/v1beta1
2+
kind: Kustomization
3+
4+
resources:
5+
- rbac.yaml

config/base/karmada-rbac/rbac.yaml

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
name: compute-manager
5+
rules:
6+
- apiGroups: ["compute.datumapis.com"]
7+
resources: ["workloaddeployments", "workloaddeployments/status", "instances", "instances/status"]
8+
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
9+
- apiGroups: ["policy.karmada.io"]
10+
resources: ["propagationpolicies", "clusterpropagationpolicies"]
11+
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
12+
- apiGroups: ["cluster.karmada.io"]
13+
resources: ["clusters"]
14+
verbs: ["get", "list", "watch"]
15+
- apiGroups: ["work.karmada.io"]
16+
resources: ["resourcebindings", "clusterresourcebindings"]
17+
verbs: ["get", "list", "watch"]
18+
- apiGroups: ["config.karmada.io"]
19+
resources: ["resourceinterpreterwebhookconfigurations", "resourceinterpretercustomizations"]
20+
verbs: ["get", "list", "watch"]
21+
---
22+
apiVersion: rbac.authorization.k8s.io/v1
23+
kind: ClusterRoleBinding
24+
metadata:
25+
name: compute-manager
26+
roleRef:
27+
apiGroup: rbac.authorization.k8s.io
28+
kind: ClusterRole
29+
name: compute-manager
30+
subjects:
31+
- kind: User
32+
name: system:serviceaccount:compute-system:compute-manager

0 commit comments

Comments
 (0)