Merge pull request #1 from darkdoc/sudoers_crb

day0hero · web-flow · commit 72dc749de52a · 2026-06-01T14:05:53.000+01:00
feat: Add cluster role binding with sudoers
diff --git a/.trivyignore b/.trivyignore
@@ -1,6 +1,6 @@
 # Hypershift admin ClusterRole is intentionally privileged; suppress noisy RBAC policy checks.
-KSV-0041
-KSV-0045
-KSV-0046
-KSV-0049
-KSV-0056
+AVD-KSV-0041
+AVD-KSV-0045
+AVD-KSV-0046
+AVD-KSV-0049
+AVD-KSV-0056
diff --git a/templates/rbac/hcp-sudo-crolebinding.yaml b/templates/rbac/hcp-sudo-crolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rbac.create }}
+{{- range .Values.rbac.sudoerGroups }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ lower . }}-sudoer-crb
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: sudoer
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: Group
+  name: {{ . }}
+{{- end }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
@@ -12,6 +12,7 @@ rbac:
     name: hcp-admins-crb
   users: []
   groups: []
+  sudoerGroups: []
 
 clusterGroup:
   isHubCluster: true
