Skip to content

Commit

Permalink
docs: Adds section for creating a viewer role
Browse files Browse the repository at this point in the history
  • Loading branch information
@phantomjinx @tadayosi
phantomjinx authored and tadayosi committed Oct 18, 2024
1 parent 734e905 commit db84f7a
Showing 1 changed file with 39 additions and 0 deletions.
39 changes: 39 additions & 0 deletions modules/ROOT/pages/online/rbac.adoc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,45 @@ $ oc auth can-i get pods/<pod> --as <user>
no
----

==== Creating a Role with the Minimum Permissions

The following creates a role with the minimum permissions required for connecting and
viewing existing pods. Once created, a user can be bound to it with a
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding[role-binding,role=external,window=_blank].

----
$ cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: hawtio-viewer
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/proxy
verbs:
- get
- list
- watch
- create
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
EOF
----

== ACL

The ACL definition for JMX operations works as follows:
Expand Down

0 comments on commit db84f7a

Please sign in to comment.