From 88fafab27e45fadb3420206ca99bbbb14848bc76 Mon Sep 17 00:00:00 2001 From: William Valentin Date: Thu, 26 Mar 2026 11:02:00 -0700 Subject: [PATCH] feat(k8s): add cluster read-only access resources --- cluster-readonly-binding.yaml | 12 ++++++++++++ cluster-readonly-role.yaml | 10 ++++++++++ cluster-readonly-sa.yaml | 5 +++++ cluster-readonly-token.yaml | 8 ++++++++ lan-readonly-kubeconfig.yaml | 18 ++++++++++++++++++ 5 files changed, 53 insertions(+) create mode 100644 cluster-readonly-binding.yaml create mode 100644 cluster-readonly-role.yaml create mode 100644 cluster-readonly-sa.yaml create mode 100644 cluster-readonly-token.yaml create mode 100644 lan-readonly-kubeconfig.yaml diff --git a/cluster-readonly-binding.yaml b/cluster-readonly-binding.yaml new file mode 100644 index 0000000..dc6e3a8 --- /dev/null +++ b/cluster-readonly-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: lan-readonly-binding +subjects: +- kind: ServiceAccount + name: lan-readonly + namespace: swarm +roleRef: + kind: ClusterRole + name: cluster-readonly + apiGroup: rbac.authorization.k8s.io diff --git a/cluster-readonly-role.yaml b/cluster-readonly-role.yaml new file mode 100644 index 0000000..a59c161 --- /dev/null +++ b/cluster-readonly-role.yaml @@ -0,0 +1,10 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cluster-readonly +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["get", "list", "watch"] +- nonResourceURLs: ["*"] + verbs: ["get", "list", "watch"] diff --git a/cluster-readonly-sa.yaml b/cluster-readonly-sa.yaml new file mode 100644 index 0000000..228a164 --- /dev/null +++ b/cluster-readonly-sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: lan-readonly + namespace: swarm diff --git a/cluster-readonly-token.yaml b/cluster-readonly-token.yaml new file mode 100644 index 0000000..1c79a9c --- /dev/null +++ b/cluster-readonly-token.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: lan-readonly-token + namespace: swarm + annotations: + kubernetes.io/service-account.name: lan-readonly +type: kubernetes.io/service-account-token diff --git a/lan-readonly-kubeconfig.yaml b/lan-readonly-kubeconfig.yaml new file mode 100644 index 0000000..3afaf1d --- /dev/null +++ b/lan-readonly-kubeconfig.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Config +clusters: +- cluster: + certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURBRENDQWVpZ0F3SUJBZ0lVRFo5czlRNHBrT24vK3B1UUxjbk5MTDRYSWxZd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dERVdNQlFHQTFVRUF4TU5hM1ZpWlhKdVpYUmxjeTFqWVRBZUZ3MHlOVEV3TVRZeE5qVTBNREJhRncwegpOVEV3TVRReE5qVTBNREJhTUJneEZqQVVCZ05WQkFNVERXdDFZbVZ5Ym1WMFpYTXRZMkV3Z2dFaU1BMEdDU3FHClNJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURDNWljWTRzb3hSL1FrV3VFS0NPaFUrMFdYMFcyeUwvbFMKZk05a2tXQjk2a1pka0JQYlRNMW9vY1lURng3VmY2cWNpaFJRaThpT0lUTGpPK0xhQzk2VXNlMGFDUmdCYTZhYgpQQ1JFOXlBTWkrZ0ZITDN6bVNPa3VrdVU2WlNBNXFUU3JXUjM4d2UvUTB4bFlLR05JdlExVWE3ZHZzQkRkbjhYCmtjcTM3dFdNeGl4OGRCUWhZNUY1bVduZFFGTzUwR0NiSWNOTytBbFc3Qis3UFlGMzd3ckVQOUpzSFAwQS9sUTEKWm1NMUJSY2p2UkxMUVBGUVhhRnYrRXZpZmpmK0VKNTdxZVo1UzRuZkpickJpc1VaQWNxelJ2ZFBVM1FiT0gzKwpzTytaT0NaRWxmWWx6OXkzSWgzS2RzOUk4cithSG4reTIvbWNPQ2haN0hQTEdpZjA2MGZCQWdNQkFBR2pRakJBCk1BNEdBMVVkRHdFQi93UUVBd0lCQmpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJReUFGMWEKdkRkbVhVb0tKNWhXd29RL2p4SlUyekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBbTZjUjVVS2t2YXkzd3h4ZQpmRU9waW9yUHIxeWRncGhtRFk0Z1U4bW9EanNZamVqdkxmMFNwS053ckd3UWJhSjZRNnFLOS9qNnBUZVRYZ0VGCmRaNE9FRGVVbW5xaGlaVXk1VnlIY05RUG9SUkJ6QUtxSVpFQkJONXQrb1ZRU0MvZzJEL1VZWTlKUzVmdlJWRUcKV3BRdVpMMS9UUGVvSk1qUDNkOGRxZVNYMVBscXprWE9HTWFka2kvRC9PTitMVENETnBoYmFPMGhTd3NsSncydwpjanRDSllpTCs0Vmh3d3hhbXNFVkgzQzBmaVM1OWNoR2dwTjQxNm1HQ21reWc2Qzl5bXg0TVhNYUN4VGlVanovCjQweHZ5YmNtTnNyS2EwdTZmNk9zTFZtM0t6dFpRdW15QkhzN3RYZ2RjeHNYZUtBanJUQktMWWkvbi9YQkwvMGYKTmdPbEV3PT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + server: https://192.168.153.210:6443 + name: lan-cluster +contexts: +- context: + cluster: lan-cluster + user: lan-readonly + namespace: default + name: lan-readonly-context +current-context: lan-readonly-context +users: +- name: lan-readonly + user: + token: eyJhbGciOiJSUzI1NiIsImtpZCI6InZ6ZldlQ2RzNU44NkdHTmhJNVo2d1lFSWd3SUFJNjFvTmxvV3NKTHRTUUkifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJzd2FybSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJsYW4tcmVhZG9ubHktdG9rZW4iLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoibGFuLXJlYWRvbmx5Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQudWlkIjoiMjY1N2UzYmItZjY0ZS00YzVhLTg1ZTEtZjliMGE5MTA4NjEzIiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OnN3YXJtOmxhbi1yZWFkb25seSJ9.UA1i1Gxb2bR7AXGCzyJ3Yfz2XksKeC3GnSQ4-y-Yq9xqtO56B5Z62A_bMBhvcJPc-wtACtXz-MbMd_e9lzBPFpLlfaqvlq8L5GuBK9hboprN-qLuY8ZyrWPlisA1YMMBnWFOwbRK_QU6mR6upaZGNZUNNlPopfa8l9yoURwhxbzwJlEw2m1e5n3oOWTXQL0DzddKrYmNicvLI9heNihkphWuMfgovOO699VAmDCTLD2etflLz2pZJi1zZUC1X1bJ-tV6-Orhxmdyfn7-gX4aAQnmI9lVe1Jn9TBeAR2m38ZLbgb6DAuSgEAdtNIQW1CoZSKNkMKPujMozpeNEQGJuw