jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/schemas/platform/templates/kubernetes/rbac.yaml.ncl

255 lines
6.3 KiB
Plaintext
Raw Normal View History

chore: complete nickel migration and consolidate legacy configs - Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/
2026-01-08 09:55:37 +00:00
# Kubernetes RBAC (Role-Based Access Control) for Provisioning
# Creates ServiceAccounts and Roles for each service
#
# Usage:
# nickel eval --format json rbac.yaml.ncl | yq -P > rbac.yaml
# kubectl apply -f rbac.yaml
{
# ============================================================================
# Orchestrator Service Account and Role
# ============================================================================
orchestrator_service_account = {
apiVersion = "v1",
kind = "ServiceAccount",
metadata = {
name = "orchestrator",
namespace = "provisioning",
labels = {
app = "orchestrator",
component = "provisioning-platform",
},
},
},
orchestrator_role = {
apiVersion = "rbac.authorization.k8s.io/v1",
kind = "Role",
metadata = {
name = "orchestrator",
namespace = "provisioning",
labels = {
app = "orchestrator",
component = "provisioning-platform",
},
},
rules = [
# Allow reading ConfigMaps (for configuration)
{
apiGroups = [""],
resources = ["configmaps"],
verbs = ["get", "list", "watch"],
},
# Allow reading Secrets (for credentials)
{
apiGroups = [""],
resources = ["secrets"],
verbs = ["get", "list"],
},
# Allow reading and writing Pod logs
{
apiGroups = [""],
resources = ["pods", "pods/log"],
verbs = ["get", "list", "watch"],
},
# Allow reading Services
{
apiGroups = [""],
resources = ["services"],
verbs = ["get", "list", "watch"],
},
],
},
orchestrator_rolebinding = {
apiVersion = "rbac.authorization.k8s.io/v1",
kind = "RoleBinding",
metadata = {
name = "orchestrator",
namespace = "provisioning",
labels = {
app = "orchestrator",
component = "provisioning-platform",
},
},
roleRef = {
apiGroup = "rbac.authorization.k8s.io",
kind = "Role",
name = "orchestrator",
},
subjects = [
{
kind = "ServiceAccount",
name = "orchestrator",
namespace = "provisioning",
},
],
},
# ============================================================================
# Control Center Service Account and Role
# ============================================================================
control_center_service_account = {
apiVersion = "v1",
kind = "ServiceAccount",
metadata = {
name = "control-center",
namespace = "provisioning",
labels = {
app = "control-center",
component = "provisioning-platform",
},
},
},
control_center_role = {
apiVersion = "rbac.authorization.k8s.io/v1",
kind = "Role",
metadata = {
name = "control-center",
namespace = "provisioning",
labels = {
app = "control-center",
component = "provisioning-platform",
},
},
rules = [
# Allow reading ConfigMaps
{
apiGroups = [""],
resources = ["configmaps"],
verbs = ["get", "list", "watch"],
},
# Allow reading and writing Secrets (for JWT, etc)
{
apiGroups = [""],
resources = ["secrets"],
verbs = ["get", "list", "create", "update", "patch"],
},
# Allow reading Service information
{
apiGroups = [""],
resources = ["services"],
verbs = ["get", "list", "watch"],
},
# Allow reading Pod information (for status)
{
apiGroups = [""],
resources = ["pods"],
verbs = ["get", "list", "watch"],
},
# Allow reading Deployments
{
apiGroups = ["apps"],
resources = ["deployments"],
verbs = ["get", "list", "watch"],
},
],
},
control_center_rolebinding = {
apiVersion = "rbac.authorization.k8s.io/v1",
kind = "RoleBinding",
metadata = {
name = "control-center",
namespace = "provisioning",
labels = {
app = "control-center",
component = "provisioning-platform",
},
},
roleRef = {
apiGroup = "rbac.authorization.k8s.io",
kind = "Role",
name = "control-center",
},
subjects = [
{
kind = "ServiceAccount",
name = "control-center",
namespace = "provisioning",
},
],
},
# ============================================================================
# MCP Server Service Account and Role
# ============================================================================
mcp_server_service_account = {
apiVersion = "v1",
kind = "ServiceAccount",
metadata = {
name = "mcp-server",
namespace = "provisioning",
labels = {
app = "mcp-server",
component = "provisioning-platform",
},
},
},
mcp_server_role = {
apiVersion = "rbac.authorization.k8s.io/v1",
kind = "Role",
metadata = {
name = "mcp-server",
namespace = "provisioning",
labels = {
app = "mcp-server",
component = "provisioning-platform",
},
},
rules = [
# Allow reading ConfigMaps (for configuration)
{
apiGroups = [""],
resources = ["configmaps"],
verbs = ["get", "list", "watch"],
},
# Allow reading Secrets (for credentials)
{
apiGroups = [""],
resources = ["secrets"],
verbs = ["get", "list"],
},
# Allow reading Pod information
{
apiGroups = [""],
resources = ["pods"],
verbs = ["get", "list", "watch"],
},
# Allow reading Services
{
apiGroups = [""],
resources = ["services"],
verbs = ["get", "list", "watch"],
},
],
},
mcp_server_rolebinding = {
apiVersion = "rbac.authorization.k8s.io/v1",
kind = "RoleBinding",
metadata = {
name = "mcp-server",
namespace = "provisioning",
labels = {
app = "mcp-server",
component = "provisioning-platform",
},
},
roleRef = {
apiGroup = "rbac.authorization.k8s.io",
kind = "Role",
name = "mcp-server",
},
subjects = [
{
kind = "ServiceAccount",
name = "mcp-server",
namespace = "provisioning",
},
],
},
}
Reference in New Issue Copy Permalink