Use the following Role and Rolebinding for the service account associated with the delegate stateful set
Introduction:
Some of our users don’t want to provide the delegate with Cluster Admin permissions. They just want to scope a delegate to use specific namespaces. While we can achieve this today, we will still need to query events from the Cluster level to make sure that the pod has reached a steady-state and is healthy. We have more on this in our documentation: https://docs.harness.io/article/p91u0bxtaf-enable-delegate-to-deploy-to-multiple-kubernetes-namespaces
So in combination, we have seen customers provide a scoped cluster role to query events and a role to the target namespace. They leverage the same service account.
# In GKE need to get RBAC permissions first with
# kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin [--user=<user-name>|--group=<group-name>]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: blackbelt-dev
namespace: blackbelt
---
kind: Role
apiVersion: [rbac.authorization.k8s.io/v1beta1](http://rbac.authorization.k8s.io/v1beta1)
metadata:
name: blackbelt-dev
namespace: blackbelt
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: ["extensions", "apps"]
resources: ["deployments"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["services", "endpoints"]
verbs: ["create","delete","get","list","patch","update","watch"]
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get"]
---
apiVersion: [rbac.authorization.k8s.io/v1beta1](http://rbac.authorization.k8s.io/v1beta1)
kind: RoleBinding
metadata:
name: blackbelt-dev
namespace: blackbelt
roleRef:
apiGroup: [rbac.authorization.k8s.io](http://rbac.authorization.k8s.io/)
kind: Role
name: blackbelt-dev
subjects:
- kind: ServiceAccount
name: blackbelt-dev
namespace: blackbelt
---
apiVersion: [rbac.authorization.k8s.io/v1beta1](http://rbac.authorization.k8s.io/v1beta1)
kind: ClusterRole
metadata:
name: blackbelt
rules:
- apiGroups: [""]
resources: ["events"]
verbs: ["get", "list", "watch"]
---
apiVersion: [rbac.authorization.k8s.io/v1](http://rbac.authorization.k8s.io/v1)
kind: ClusterRoleBinding
metadata:
name: blackbelt
namespace: blackbelt
roleRef:
apiGroup: [rbac.authorization.k8s.io](http://rbac.authorization.k8s.io)
kind: ClusterRole
name: blackbelt
subjects:
- kind: ServiceAccount
name: blackbelt-dev
namespace: blackbelt
I hope this helps you get started with scoping the delegate to its proper needs.
Happy Deploying and Till Next Time fellow Canaries!