docs: running in-cluster with RBAC
parent
15087dbab6
commit
1517859b74
25
README.md
25
README.md
|
@ -47,6 +47,31 @@ If you're running clusterlint from within a Pod, you can use the `--in-cluster`
|
|||
clusterlint --in-cluster run
|
||||
```
|
||||
|
||||
Here's a simple example of CronJob definition to run clusterlint in the default namespace without RBAC :
|
||||
|
||||
```yaml
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: clusterlint-cron
|
||||
spec:
|
||||
schedule: "0 */1 * * *"
|
||||
concurrencyPolicy: Replace
|
||||
failedJobsHistoryLimit: 3
|
||||
successfulJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: clusterlint
|
||||
image: docker.io/clusterlint:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
restartPolicy: Never
|
||||
```
|
||||
|
||||
If you're using RBAC, see [docs/RBAC.md](docs/RBAC.md).
|
||||
|
||||
### Specific checks and groups
|
||||
|
||||
All checks that clusterlint performs are categorized into groups. A check can belong to multiple groups. This framework allows one to only run specific checks on a cluster. For instance, if a cluster is running on DOKS, then, running checks specific to AWS does not make sense. Clusterlint can blacklist aws related checks, if any while running against a DOKS cluster.
|
||||
|
|
|
@ -0,0 +1,68 @@
|
|||
The snippet below is an example to show how to run clusterlint in-cluster with RBAC enabled.
|
||||
|
||||
```yaml
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: clusterlint-role
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
- volumes
|
||||
- deployments
|
||||
- services
|
||||
- cronjobs
|
||||
- namespaces
|
||||
- jobs
|
||||
- persistentvolumeclaims
|
||||
- persistentvolumes
|
||||
- statefulsets
|
||||
- storageclasses
|
||||
- configmaps
|
||||
- defaultstorageclass
|
||||
verbs: ["get", "watch", "list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: clusterlint-role-binding
|
||||
namespace: clusterlint
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: clusterlint
|
||||
namespace: clusterlint
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: clusterlint-role
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: clusterlint
|
||||
namespace: clusterlint
|
||||
automountServiceAccountToken: false
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: clusterlint-cron
|
||||
namespace: clusterlint
|
||||
spec:
|
||||
schedule: "0 */1 * * *"
|
||||
concurrencyPolicy: Replace
|
||||
failedJobsHistoryLimit: 3
|
||||
successfulJobsHistoryLimit: 1
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: clusterlint
|
||||
containers:
|
||||
- name: clusterlint
|
||||
image: docker.io/clusterlint:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
restartPolicy: Never
|
||||
```
|
Loading…
Reference in New Issue