How to organize the issuance of rights in Kubernetes IaC? I have a cluster with many namespaces, developers only need rights to individual namespaces. I don’t want to do this manually, I believe that you can describe some access groups and then set up automatic deployment in GitLab.
For example, I have namespaces: ns1 and ns2, developer accounts: developer1 and developer2. There is a group of access: devs with the necessary rights.
How to describe what is needed?
I understand how to describe with manifests and execute apply, but I want to do it with IaC with automation to simply add the account name and namespace to some file and then run the auto deployment in GitLab and that’s it.
I use GitLab as CI
It is now:
kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: devs namespace: ns1 rules:
- apiGroups:
- "" resources:
- pods
- pods/exec verbs:
- create
- get
- list
- update
- delete
- apiGroups:
- "" resources:
- pods/log verbs:
- get
- list
- watch
kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: devs namespace: ns1 subjects:
- kind: User name: develop1 namespace: ns1 roleRef: kind: Role name: devs apiGroup: rbac.authorization.k8s.io