docs: running in-cluster with RBAC
parent
15087dbab6
commit
1517859b74
25
README.md
25
README.md
|
@ -47,6 +47,31 @@ If you're running clusterlint from within a Pod, you can use the `--in-cluster`
|
||||||
clusterlint --in-cluster run
|
clusterlint --in-cluster run
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Here's a simple example of CronJob definition to run clusterlint in the default namespace without RBAC :
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: CronJob
|
||||||
|
metadata:
|
||||||
|
name: clusterlint-cron
|
||||||
|
spec:
|
||||||
|
schedule: "0 */1 * * *"
|
||||||
|
concurrencyPolicy: Replace
|
||||||
|
failedJobsHistoryLimit: 3
|
||||||
|
successfulJobsHistoryLimit: 1
|
||||||
|
jobTemplate:
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: clusterlint
|
||||||
|
image: docker.io/clusterlint:latest
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
restartPolicy: Never
|
||||||
|
```
|
||||||
|
|
||||||
|
If you're using RBAC, see [docs/RBAC.md](docs/RBAC.md).
|
||||||
|
|
||||||
### Specific checks and groups
|
### Specific checks and groups
|
||||||
|
|
||||||
All checks that clusterlint performs are categorized into groups. A check can belong to multiple groups. This framework allows one to only run specific checks on a cluster. For instance, if a cluster is running on DOKS, then, running checks specific to AWS does not make sense. Clusterlint can blacklist aws related checks, if any while running against a DOKS cluster.
|
All checks that clusterlint performs are categorized into groups. A check can belong to multiple groups. This framework allows one to only run specific checks on a cluster. For instance, if a cluster is running on DOKS, then, running checks specific to AWS does not make sense. Clusterlint can blacklist aws related checks, if any while running against a DOKS cluster.
|
||||||
|
|
|
@ -0,0 +1,68 @@
|
||||||
|
The snippet below is an example to show how to run clusterlint in-cluster with RBAC enabled.
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: clusterlint-role
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- volumes
|
||||||
|
- deployments
|
||||||
|
- services
|
||||||
|
- cronjobs
|
||||||
|
- namespaces
|
||||||
|
- jobs
|
||||||
|
- persistentvolumeclaims
|
||||||
|
- persistentvolumes
|
||||||
|
- statefulsets
|
||||||
|
- storageclasses
|
||||||
|
- configmaps
|
||||||
|
- defaultstorageclass
|
||||||
|
verbs: ["get", "watch", "list"]
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: RoleBinding
|
||||||
|
metadata:
|
||||||
|
name: clusterlint-role-binding
|
||||||
|
namespace: clusterlint
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: clusterlint
|
||||||
|
namespace: clusterlint
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: clusterlint-role
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: clusterlint
|
||||||
|
namespace: clusterlint
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
---
|
||||||
|
apiVersion: batch/v1
|
||||||
|
kind: CronJob
|
||||||
|
metadata:
|
||||||
|
name: clusterlint-cron
|
||||||
|
namespace: clusterlint
|
||||||
|
spec:
|
||||||
|
schedule: "0 */1 * * *"
|
||||||
|
concurrencyPolicy: Replace
|
||||||
|
failedJobsHistoryLimit: 3
|
||||||
|
successfulJobsHistoryLimit: 1
|
||||||
|
jobTemplate:
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
serviceAccountName: clusterlint
|
||||||
|
containers:
|
||||||
|
- name: clusterlint
|
||||||
|
image: docker.io/clusterlint:latest
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
restartPolicy: Never
|
||||||
|
```
|
Loading…
Reference in New Issue