docs: running in-cluster with RBAC

README.md

@@ -47,6 +47,31 @@ If you're running clusterlint from within a Pod, you can use the `--in-cluster`
 clusterlint --in-cluster run
 ```
 
+Here's a simple example of CronJob definition to run clusterlint in the default namespace without RBAC : 
+
+```yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: clusterlint-cron
+spec:
+  schedule: "0 */1 * * *"
+  concurrencyPolicy: Replace
+  failedJobsHistoryLimit: 3
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          containers:
+            - name: clusterlint
+              image: docker.io/clusterlint:latest
+              imagePullPolicy: IfNotPresent
+          restartPolicy: Never
+```
+
+If you're using RBAC, see [docs/RBAC.md](docs/RBAC.md).
+
 ### Specific checks and groups
 
 All checks that clusterlint performs are categorized into groups. A check can belong to multiple groups. This framework allows one to only run specific checks on a cluster. For instance, if a cluster is running on DOKS, then, running checks specific to AWS does not make sense. Clusterlint can blacklist aws related checks, if any while running against a DOKS cluster.

docs/RBAC.md

@@ -0,0 +1,68 @@
+The snippet below is an example to show how to run clusterlint in-cluster with RBAC enabled.
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: clusterlint-role
+rules:
+- apiGroups: [""]
+  resources:
+    - pods
+    - volumes
+    - deployments
+    - services
+    - cronjobs
+    - namespaces
+    - jobs
+    - persistentvolumeclaims
+    - persistentvolumes
+    - statefulsets
+    - storageclasses
+    - configmaps
+    - defaultstorageclass
+  verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: clusterlint-role-binding
+  namespace: clusterlint
+subjects:
+  - kind: ServiceAccount
+    name: clusterlint
+    namespace: clusterlint
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: clusterlint-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: clusterlint
+  namespace: clusterlint
+automountServiceAccountToken: false
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: clusterlint-cron
+  namespace: clusterlint
+spec:
+  schedule: "0 */1 * * *"
+  concurrencyPolicy: Replace
+  failedJobsHistoryLimit: 3
+  successfulJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: clusterlint
+          containers:
+            - name: clusterlint
+              image: docker.io/clusterlint:latest
+              imagePullPolicy: IfNotPresent
+          restartPolicy: Never
+```