What are the specific ClusterRole and ClusterRoleBindings does service account require for GitOps Agent
Here is a sample of a bare minimum Cluster Role for a Service Account, which can allow deployments , daemonsets, statefulsets and services which is required for the target cluster(not the same as where the agent is installed) where the apps will be deployed.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sa-test-role
rules:
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
verbs:
- get
- watch
- list
- create
- patch
- delete
- apiGroups:
- ""
resources:
- podtemplates
- pods
- pods/log
- persistentvolumeclaims
- secrets
- nodes
- endpoints
- services
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- create
- patch
The permissions to resources can vary based on the user’s needs. If your app only contains deployments , services , then we can remove statefulsets and daemonsets .
So it’s up to you to decide based on the entities you want to deploy.