apiVersion: v1 kind: ResourceQuota metadata: name: critical-pods spec: hard: pods: "1000" scopeSelector: matchExpressions: - operator: In scopeName: PriorityClass values: - system-node-critical - system-cluster-critical --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: crd-controller rules: - apiGroups: - source.toolkit.fluxcd.io resources: - '*' verbs: - '*' - apiGroups: - kustomize.toolkit.fluxcd.io resources: - '*' verbs: - '*' - apiGroups: - helm.toolkit.fluxcd.io resources: - '*' verbs: - '*' - apiGroups: - notification.toolkit.fluxcd.io resources: - '*' verbs: - '*' - apiGroups: - image.toolkit.fluxcd.io resources: - '*' verbs: - '*' - apiGroups: - "" resources: - namespaces - secrets - configmaps - serviceaccounts verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - create - patch - apiGroups: - "" resources: - configmaps verbs: - get - list - watch - create - update - patch - delete - apiGroups: - "" resources: - configmaps/status verbs: - get - update - patch - apiGroups: - coordination.k8s.io resources: - leases verbs: - get - list - watch - create - update - patch - delete - nonResourceURLs: - /livez/ping verbs: - head --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" name: flux-edit rules: - apiGroups: - notification.toolkit.fluxcd.io - source.toolkit.fluxcd.io - helm.toolkit.fluxcd.io - image.toolkit.fluxcd.io - kustomize.toolkit.fluxcd.io resources: - '*' verbs: - create - delete - deletecollection - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-view: "true" name: flux-view rules: - apiGroups: - notification.toolkit.fluxcd.io - source.toolkit.fluxcd.io - helm.toolkit.fluxcd.io - image.toolkit.fluxcd.io - kustomize.toolkit.fluxcd.io resources: - '*' verbs: - get - list - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cluster-reconciler roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: kustomize-controller namespace: flux-system - kind: ServiceAccount name: helm-controller namespace: flux-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: crd-controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: crd-controller subjects: - kind: ServiceAccount name: kustomize-controller namespace: flux-system - kind: ServiceAccount name: helm-controller namespace: flux-system - kind: ServiceAccount name: source-controller namespace: flux-system - kind: ServiceAccount name: notification-controller namespace: flux-system - kind: ServiceAccount name: image-reflector-controller namespace: flux-system - kind: ServiceAccount name: image-automation-controller namespace: flux-system