1apiVersion: v1
2kind: ResourceQuota
3metadata:
4 name: critical-pods
5spec:
6 hard:
7 pods: "1000"
8 scopeSelector:
9 matchExpressions:
10 - operator: In
11 scopeName: PriorityClass
12 values:
13 - system-node-critical
14 - system-cluster-critical
15---
16apiVersion: rbac.authorization.k8s.io/v1
17kind: ClusterRole
18metadata:
19 name: crd-controller
20rules:
21- apiGroups:
22 - source.toolkit.fluxcd.io
23 resources:
24 - '*'
25 verbs:
26 - '*'
27- apiGroups:
28 - kustomize.toolkit.fluxcd.io
29 resources:
30 - '*'
31 verbs:
32 - '*'
33- apiGroups:
34 - helm.toolkit.fluxcd.io
35 resources:
36 - '*'
37 verbs:
38 - '*'
39- apiGroups:
40 - notification.toolkit.fluxcd.io
41 resources:
42 - '*'
43 verbs:
44 - '*'
45- apiGroups:
46 - image.toolkit.fluxcd.io
47 resources:
48 - '*'
49 verbs:
50 - '*'
51- apiGroups:
52 - ""
53 resources:
54 - namespaces
55 - secrets
56 - configmaps
57 - serviceaccounts
58 verbs:
59 - get
60 - list
61 - watch
62- apiGroups:
63 - ""
64 resources:
65 - events
66 verbs:
67 - create
68 - patch
69- apiGroups:
70 - ""
71 resources:
72 - configmaps
73 verbs:
74 - get
75 - list
76 - watch
77 - create
78 - update
79 - patch
80 - delete
81- apiGroups:
82 - ""
83 resources:
84 - configmaps/status
85 verbs:
86 - get
87 - update
88 - patch
89- apiGroups:
90 - coordination.k8s.io
91 resources:
92 - leases
93 verbs:
94 - get
95 - list
96 - watch
97 - create
98 - update
99 - patch
100 - delete
101- nonResourceURLs:
102 - /livez/ping
103 verbs:
104 - head
105---
106apiVersion: rbac.authorization.k8s.io/v1
107kind: ClusterRole
108metadata:
109 labels:
110 rbac.authorization.k8s.io/aggregate-to-admin: "true"
111 rbac.authorization.k8s.io/aggregate-to-edit: "true"
112 name: flux-edit
113rules:
114- apiGroups:
115 - notification.toolkit.fluxcd.io
116 - source.toolkit.fluxcd.io
117 - helm.toolkit.fluxcd.io
118 - image.toolkit.fluxcd.io
119 - kustomize.toolkit.fluxcd.io
120 resources:
121 - '*'
122 verbs:
123 - create
124 - delete
125 - deletecollection
126 - patch
127 - update
128---
129apiVersion: rbac.authorization.k8s.io/v1
130kind: ClusterRole
131metadata:
132 labels:
133 rbac.authorization.k8s.io/aggregate-to-admin: "true"
134 rbac.authorization.k8s.io/aggregate-to-edit: "true"
135 rbac.authorization.k8s.io/aggregate-to-view: "true"
136 name: flux-view
137rules:
138- apiGroups:
139 - notification.toolkit.fluxcd.io
140 - source.toolkit.fluxcd.io
141 - helm.toolkit.fluxcd.io
142 - image.toolkit.fluxcd.io
143 - kustomize.toolkit.fluxcd.io
144 resources:
145 - '*'
146 verbs:
147 - get
148 - list
149 - watch
150---
151apiVersion: rbac.authorization.k8s.io/v1
152kind: ClusterRoleBinding
153metadata:
154 name: cluster-reconciler
155roleRef:
156 apiGroup: rbac.authorization.k8s.io
157 kind: ClusterRole
158 name: cluster-admin
159subjects:
160- kind: ServiceAccount
161 name: kustomize-controller
162 namespace: flux-system
163- kind: ServiceAccount
164 name: helm-controller
165 namespace: flux-system
166---
167apiVersion: rbac.authorization.k8s.io/v1
168kind: ClusterRoleBinding
169metadata:
170 name: crd-controller
171roleRef:
172 apiGroup: rbac.authorization.k8s.io
173 kind: ClusterRole
174 name: crd-controller
175subjects:
176- kind: ServiceAccount
177 name: kustomize-controller
178 namespace: flux-system
179- kind: ServiceAccount
180 name: helm-controller
181 namespace: flux-system
182- kind: ServiceAccount
183 name: source-controller
184 namespace: flux-system
185- kind: ServiceAccount
186 name: notification-controller
187 namespace: flux-system
188- kind: ServiceAccount
189 name: image-reflector-controller
190 namespace: flux-system
191- kind: ServiceAccount
192 name: image-automation-controller
193 namespace: flux-system
View as plain text