kayrus · eugene-chow · Apr 24, 2017 · Apr 24, 2017 · Apr 24, 2017 · kayrus
diff --git a/deploy.sh b/deploy.sh
@@ -47,4 +47,7 @@ eval "${KUBECTL} create configmap es-config --from-file=es-config --dry-run -o y
 eval "${KUBECTL} create configmap fluentd-config --from-file=docker/fluentd/td-agent.conf --dry-run -o yaml" | eval "${KUBECTL} apply -f -"
 eval "${KUBECTL} create configmap kibana-config --from-file=kibana.yml --dry-run -o yaml" | eval "${KUBECTL} apply -f -"
 
+## Install RBAC policies
+eval "${KUBECTL} apply -f rbac"
+
 eval "${KUBECTL} get pods $@"
diff --git a/rbac/.DS_Store b/rbac/.DS_Store
diff --git a/rbac/es-client-r.yaml b/rbac/es-client-r.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: Role
+metadata:
+  name: es-client
+rules:
+- apiGroups: [""]
+  resources:
+  - endpoints
+  verbs: ["get", "list", "watch"]
diff --git a/rbac/es-client-rb.yaml b/rbac/es-client-rb.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: RoleBinding
+metadata:
+  name: es-client
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: es-client
+subjects:
+- kind: ServiceAccount
+  name: es-client
+  namespace: logging
diff --git a/rbac/es-client-sa.yaml b/rbac/es-client-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: es-client
diff --git a/rbac/es-data-r.yaml b/rbac/es-data-r.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: Role
+metadata:
+  name: es-data
+rules:
+- apiGroups: [""]
+  resources:
+  - endpoints
+  verbs: ["get", "list", "watch"]
diff --git a/rbac/es-data-rb.yaml b/rbac/es-data-rb.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: RoleBinding
+metadata:
+  name: es-data
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: es-data
+subjects:
+- kind: ServiceAccount
+  name: es-data
+  namespace: logging
diff --git a/rbac/es-data-sa.yaml b/rbac/es-data-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: es-data
diff --git a/rbac/fluentd-cr.yaml b/rbac/fluentd-cr.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: fluentd
+rules:
+- apiGroups: [""]
+  resources:
+  - pods
+  verbs: ["get", "list", "watch"]
diff --git a/rbac/fluentd-crb.yaml b/rbac/fluentd-crb.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: fluentd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fluentd
+subjects:
+- kind: ServiceAccount
+  name: fluentd
+  namespace: logging
diff --git a/rbac/fluentd-sa.yaml b/rbac/fluentd-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fluentd
diff --git a/rbac/k8s-events-printer-cr.yaml b/rbac/k8s-events-printer-cr.yaml
@@ -0,0 +1,9 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRole
+metadata:
+  name: kubernetes-events-printer
+rules:
+- apiGroups: [""]
+  resources:
+  - events
+  verbs: ["get", "list", "watch"]
diff --git a/rbac/k8s-events-printer-crb.yaml b/rbac/k8s-events-printer-crb.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1alpha1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-events-printer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-events-printer
+subjects:
+- kind: ServiceAccount
+  name: kubernetes-events-printer
+  namespace: logging
diff --git a/rbac/k8s-events-printer-sa.yaml b/rbac/k8s-events-printer-sa.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-events-printer