-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathServiceaccounts.ts
47 lines (43 loc) · 1.31 KB
/
Serviceaccounts.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import * as k8s from "@pulumi/kubernetes"
import {Namespace, ServiceAccount} from "@pulumi/kubernetes/core/v1";
import {Role} from "@pulumi/kubernetes/rbac/v1";
export function createServiceAccount(namespace: Namespace) {
return new k8s.core.v1.ServiceAccount("gitlab-runner",
{
metadata: {
name: "gitlab-runner",
namespace: namespace.metadata.name
}
})
}
export function createRole(namespace:Namespace) {
return new k8s.rbac.v1.Role("gitlab-runner", {
metadata: {
name: "gitlab-runner",
namespace: namespace.metadata.name
},
rules: [
{ apiGroups: [""],
resources: ["secrets","pods", "configmaps","service", "pods/attach", "pods/exec"],
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
}
]
})
}
export function createRoleBinding(namespace:Namespace, role: Role, serviceAccount: ServiceAccount) {
return new k8s.rbac.v1.RoleBinding("gitlab-runner", {
metadata: {
name: "gitlab-runner",
namespace: namespace.metadata.name
},
roleRef: {
apiGroup: "rbac.authorization.k8s.io",
kind: "Role",
name: role.metadata.name},
subjects: [{
kind: "ServiceAccount",
name: serviceAccount.metadata.name,
namespace: namespace.metadata.name
}]
})
}