Skip to content

Commit

Permalink
Fix/manifests (#38)
Browse files Browse the repository at this point in the history 
* fix manifest deployment and demoapp, remove poc vulnerability check

* update gitignore

* add cosign pub key for cosignwebhook again

* extra warning self-signed example certificate

* adjust gitignore

* bump manifest 4.0.5
  • Loading branch information
@eumel8
eumel8 authored Jan 15, 2024
1 parent 055781e commit 9f57e0e
Show file tree
Hide file tree
Showing 6 changed files with 36 additions and 79 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/cosign.pub
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENDN3HpXY2weMYRuuJbZnNczrOyns
ZvVnR15G9EILCH8+elXkYy+4U70mR++XIL0iD8NhZ3kxfpFjxyHlnG5Snw==
-----END PUBLIC KEY-----
5 changes: 2 additions & 3 deletions .gitignore
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
# compiled binary, never checked in
cosignwebhook
chart/caas-values.yaml

# the keypair used for test-signing of the webhook
# required foe e2e test
*.key
*.pub
2 changes: 2 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ kubectl -n cosignwebhook apply -f manifests/rbac.yaml
kubectl -n cosignwebhook apply -f manifests/manifest.yaml
```

The manifest contains a self-signed example ca, TLS certificate, and key. This is only to see how it looks like, you should generate your own certificate, see below:

## Cert generation

Run the generate-certs script in the `hack` folder to generate the TLS key pair and the CA certificate for the webhook:
Expand Down
63 changes: 0 additions & 63 deletions manifests/demoapp.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,37 +14,6 @@ metadata:
name: demoapp-pull-secret
type: kubernetes.io/dockerconfigjson
---
apiVersion: v1
data:
run.sh: |
#!/bin/sh
if [ -z "$REGISTRY" ] || [ -z "$REPO" ] || [ -z "$TAG" ]|| [ -z "$SCORE" ]; then
echo "required variables not set"
exit 1
fi
MANIFEST=$(curl -s -H 'Authorization: Bearer ${BEARER}' ${REGISTRY}/api/v1/repository/${REPO}|jq .tags.\"${TAG}\".manifest_digest | sed 's/\"//g')
echo "man ${MANIFEST}"
if [[ -n "$MANIFEST" ]] ; then
echo "couln't fetch manifest ${REPO}/${TAG}"
exit 1
fi
echo "man end"
VULN=$(curl -s -H 'Authorization: Bearer ${BEARER}' ${REGISTRY}/api/v1/repository/${REPO}/manifest/${MANIFEST}/security | jq '.data.Layer.Features[].Vulnerabilities[]?| select (.Metadata.NVD.CVSSv3.Score != "")| select(.Metadata.NVD.CVSSv3.Score > '${SCORE}')|length')
if [ -z "$VULN" ] ; then
echo "ok"
exit 0
else
echo "found vulnerabilities"
curl -s -H 'Authorization: Bearer ${BEARER}' ${REGISTRY}/api/v1/repository/${REPO}/manifest/${MANIFEST}/security | jq '.data.Layer.Features[].Vulnerabilities[]?| select (.Metadata.NVD.CVSSv3.Score != "")| select(.Metadata.NVD.CVSSv3.Score > '${SCORE}')'
exit 1
fi
kind: ConfigMap
metadata:
labels:
app: demoapp
name: demoapp-sidecar
---
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -114,38 +83,6 @@ spec:
volumeMounts:
- name: tmp
mountPath: /tmp
initContainers:
- name: checkvulnerabilities
image: mtr.devops.telekom.de/caas/caas-tools:latest
env:
- name: REGISTRY
value: https://mtr.devops.telekom.de
- name: REPO
value: cosigndemo/nginx-non-root
- name: TAG
value: latest
- name: SCORE
value: "9.0"
command: ["/sidecar/run.sh"]
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
securityContext:
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: demoapp-sidecar
mountPath: /sidecar
dnsPolicy: ClusterFirst
imagePullSecrets:
- name: demoapp-pull-secret
Expand Down
34 changes: 21 additions & 13 deletions manifests/manifest.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,14 @@
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: cosignwebhook
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURhakNDQWxLZ0F3SUJBZ0lSQUp0SGF3OXhCOGpnS04xTVVEUkd4RUF3RFFZSktvWklodmNOQVFFTEJRQXcKSERFYU1CZ0dBMVVFQXhNUlkyOXphV2R1TFhkbFltaHZiMnN0WTJFd0hoY05NalF3TVRFeU1UUXlNREExV2hjTgpNelF3TVRBNU1UUXlNREExV2pBWU1SWXdGQVlEVlFRREV3MWpiM05wWjI1M1pXSm9iMjlyTUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdUN2cXBtWCs1WE9ncFMvT1hPOTZ4VUdOTTRtVURZMWsKM3dBQm9PWThOcFpvay9BR1BSTzRWNHpwaGtjZVdJWHVJc1FRV1RFelFLalFtQi9QMUF1TllvTDJUSWRiRUJMMQptSEFnRFMxRGdwODIweXN4d2FGS3YzWHRUSjg2VTFWVndYSW1QeXFNODhTVjI3VDNGRWYvb2NEckYxb3IzQnpWCnZoTHVUTExaeXpPNDV4a3RQNUVueU1HQUtkbG5vU3F1V0dqa2lGSHh0bitITHpxbkEyYTBCeWQ0di9PdWpwdmcKYXpUYkdNL2F3QW5DRDZiQURZQVNOdXJjaWlvejlGNFM1VUwrSWpIemllU05ZNWpSMVBXNG9xNWEwS1F6ZjBybAp3R09Nd3FJbWZSVzRYeDQ2V21Sd2FJYmRPRDIvOFl5cEoxNGZ2Yk84R2duZVNmaCtMSUpRTlFJREFRQUJvNEdxCk1JR25NQTRHQTFVZER3RUIvd1FFQXdJRm9EQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUgKQXdJd0RBWURWUjBUQVFIL0JBSXdBREFmQmdOVkhTTUVHREFXZ0JTc0ZQVTQ4SEo2Z1VUMXpoT0ZBS3drV0RjVQpZVEJIQmdOVkhSRUVRREErZ2h0amIzTnBaMjUzWldKb2IyOXJMbU52YzJsbmJuZGxZbWh2YjJ1Q0gyTnZjMmxuCmJuZGxZbWh2YjJzdVkyOXphV2R1ZDJWaWFHOXZheTV6ZG1Nd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFKNVAKWDBKOW5HL2xBV1VLaHVrTnNVR25hdkcyOERCUWQwWFM5NElxSFFoQzlQamZOTGpicSs1QmhRNDJDOHMybXpmTwpSUzNwVjlmUldwUTR1blU5ZVp0V0l2Ty9IQ1Z1bmpKSUNrNEdNVzNpRTZ3a095U01kNjBQTm9RZnZ3UWlsRU9BCjRyZ2ZXK0dndlIxYlFwOHFTRHg0WEU4M0czNDNhbTdQcVpHNnVHRTRWMlExZnducnQxbmw0UmtSc1VPTlFhdzAKcUFEL0RNcEpEWXlDNi85bUdjQ3R0WUI0enVTWHd6SW1CZXRISFdHSUlLMmREQitOa3A0NDNEL0Vjb2hQU2hqQwpzN0hJaXlGR1pIMDMwejdRM3NTUjhUWk1wVUZBWXJ4OEY5bEVzWkJ2YmpZNVJTUFdTSXk2S29ibCtWUDZGOVFlCkZIQkdoMnkxcUh4ZkVVT3FDQzQ9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdUN2cXBtWCs1WE9ncFMvT1hPOTZ4VUdOTTRtVURZMWszd0FCb09ZOE5wWm9rL0FHClBSTzRWNHpwaGtjZVdJWHVJc1FRV1RFelFLalFtQi9QMUF1TllvTDJUSWRiRUJMMW1IQWdEUzFEZ3A4MjB5c3gKd2FGS3YzWHRUSjg2VTFWVndYSW1QeXFNODhTVjI3VDNGRWYvb2NEckYxb3IzQnpWdmhMdVRMTFp5ek80NXhrdApQNUVueU1HQUtkbG5vU3F1V0dqa2lGSHh0bitITHpxbkEyYTBCeWQ0di9PdWpwdmdhelRiR00vYXdBbkNENmJBCkRZQVNOdXJjaWlvejlGNFM1VUwrSWpIemllU05ZNWpSMVBXNG9xNWEwS1F6ZjBybHdHT013cUltZlJXNFh4NDYKV21Sd2FJYmRPRDIvOFl5cEoxNGZ2Yk84R2duZVNmaCtMSUpRTlFJREFRQUJBb0lCQUYwaDhDNG5RK2ZhT2ZGdQpwR2VBdnMvRFgxa2hpRm4yRjMxaGJuRmtIQ3pxa0lYSENoQ1d5VkNVdEg2dnRodkQxbkdFUGxRc09pUEhlbnlECkVjREQrc0pIUWEvZmZ1QTVCak1JK0Z4UmVHTTBpaS90RnVNNDRpakJ4TGRMaWQ0Y09CcHowLzE3VWYzdmVteTUKTFh6M0Q4RkhZbHJUd1h3MHBLM1N1dWpVUktpcGFtL0oxSnNGeDVFYzZscndzZkFxc2FFOGJ5eXpmMXEzbzhMUApwc3doZ2xYS3RPdk5NK09UcXFyV3EveS94RXNHNFlETXl2L3FVL1RKaDV6V0I3cDdwbWpiSjdQMERBNXFwaTZ4CkEyditTNG1tQUNBSXRtSVp1U1c3aURPb01na1B4MEx4OWlVZ2M3S2RmTktPVW5kNTBTNU94VzJPakhYVXN2dFgKdHdmODhNRUNnWUVBMG5wS0cyN2o1MFZkNGduOFlNd2QrWjdKWFhMdk1sNkZXSWc5MktOSDRxdVpFTXV1TFJpWQphbUNwaFFqaU1heWxuZmRKdHB5ZXVrbGtTRm5waENuTzZQYjVzc0p4WkhQV3JpbU9KTVdUa1UwL2N5MVFwUU9uCkt1K0pGYnlzNStWQjlJNSs2ZEY2KzhEOVlLZEUwSTIzUVNKT0c4QWNIU0svNHdVd1NoZkVBUVVDZ1lFQTRBRWMKWDhIWHRaeGYyQzcyNjU2Z0NjdmNRVXg0NEw0NFFORW5HK0t2dWlhVXNqTG13RE9meisrVFAxdEFweVZ0UElmTAp1VXNGQkRzeFIvT3Q2bHphR2NaYWlBYktUSzZoMXRmS2w1UDRXcFEyNFZtVXg1V2QwWXUwbTNsY0tVMWJKcVV0CmVCdHJWSXI2VnRUWTJ0UW5oMlZoYjBKWlRvVDAxY1A4SWdJQStYRUNnWUVBZy80eXVTOTZkczkyaDhseFh4YkMKZVlkTmluQUlkMUwxVnNiaDJoalRmTi9WOXNWMHJrMHRVQkRjWGxScTNYSUN6cVNFc3FOWG0wVnBRVUk1Z2l0aAoyWkVBbUV6K0pWdkx0cDdTeUZhckswVUJWRzZIazJST0VrdnpjUkZJY1lqQkt1ZXR5VjRZUFFjVEh1am02ODdqCnJGSWlINThEUW5aSFZjd3NNMXJpRFMwQ2dZRUExcS9aM09Dd2Q4dStoRGhHeVAzSGpud0d4Y0tnRzIzVUJqTXUKazJoSVdWVytyNmRmUnBoenMxdCt1WHNnMU5GbkIxdHk0a3pIS3czOEptU2lxM3FBUWJHOGRLQmxaT2IrRHlYVQpja0FNQit3RFNTbU5FVmdRNEpOUDdxNTZxTThON0ZUazVqY0pRQWJPOVVlYjZ1Ym9WN2pQa0UxN3dHaG5LelZoCndjby8ydEVDZ1lCSkZIQTBIMFJZOGJERjBlcVVNeGVyWnNBM1lOY0RZS2JlMFE0dmJEbENLa3A3SFJRU3Q0Ri8KbTJSNThHemNzWU85VXNFbHhZTnNDdEJNVFMySFF0KytVbjloUGxrVWtqbjQ1dGtzUWVleDR2cW1FZkN2dmZPZQpKVWdRTi8vQ2JjdDJ5QTVNeVJuZEdrcEJBd0UyeUR2NlA2Skczai91dHVmRW1pVlJiNm5CU3c9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
---
apiVersion: v1
kind: Service
metadata:
name: cosignwebhook
Expand Down Expand Up @@ -35,8 +44,8 @@ spec:
- verify
- --key
- env://COSIGNPUBKEY
- --insecure-skip-tlog-verify
- mtr.devops.telekom.de/mcsps/cosign:v1.8.0
- --insecure-ignore-tlog=true
- mtr.devops.telekom.de/mcsps/cosign:v2.2.0
command:
- cosign
env:
Expand All @@ -46,7 +55,7 @@ spec:
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEhyQCx0E9wQWSFI9ULGwy3BuRklnt
IqozONbbdbqz11hlRJy9c7SG+hdcFl9jE9uE/dwtuwU2MqU9T/cN0YkWww==
-----END PUBLIC KEY-----
image: mtr.devops.telekom.de/mcsps/cosign:v2.0.0-rc.0
image: mtr.devops.telekom.de/mcsps/cosign:v2.2.0
imagePullPolicy: Always
name: sigcheckcosign
resources:
Expand All @@ -60,17 +69,18 @@ spec:
- verify
- --key
- env://COSIGNPUBKEY
- mtr.devops.telekom.de/caas/cosignwebhook:1.0.0
- --insecure-ignore-tlog=true
- mtr.devops.telekom.de/caas/cosignwebhook:4.0.5
command:
- cosign
env:
- name: COSIGNPUBKEY
value: |
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgei36FSIhT8a9lOHs1Sem5KvmrT+
Xi2EcyjLvaJzqu5n0TiygGeO4ZcU30A1PQv6xoI0xBxpyZAw7XeqzrRDOQ==
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAENDN3HpXY2weMYRuuJbZnNczrOyns
ZvVnR15G9EILCH8+elXkYy+4U70mR++XIL0iD8NhZ3kxfpFjxyHlnG5Snw==
-----END PUBLIC KEY-----
image: mtr.devops.telekom.de/mcsps/cosign:v1.8.0
image: mtr.devops.telekom.de/mcsps/cosign:v2.2.0
imagePullPolicy: Always
name: sigcheckwebhook
resources:
Expand All @@ -82,13 +92,11 @@ spec:
memory: 64Mi
containers:
- name: cosignwebhook
image: mtr.devops.telekom.de/caas/cosignwebhook:1.0.0
image: mtr.devops.telekom.de/caas/cosignwebhook:4.0.5
imagePullPolicy: Always
args:
- -alsologtostderr
- 2>&1
# - --log_dir=/
# - -v=10
- -logLevel
- info
env:
- name: COSIGNPUBKEY
value: |
Expand Down Expand Up @@ -148,7 +156,7 @@ webhooks:
name: cosignwebhook
namespace: cosignwebhook
path: "/validate"
caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZOekNDQXgrZ0F3SUJBZ0lVTW1ndFRsM2VnOWplZjRYZ1oyVEkzSXdTQXcwd0RRWUpLb1pJaHZjTkFRRUwKQlFBd0hERWFNQmdHQTFVRUF3d1JaM0oxYlhCNUxtZHlkVzF3ZVM1emRtTXdIaGNOTWpNd01UQXhNVFl6T1RJdwpXaGNOTXpJeE1qSTVNVFl6T1RJd1dqQWNNUm93R0FZRFZRUUREQkZuY25WdGNIa3VaM0oxYlhCNUxuTjJZekNDCkFpSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBTEk3cWpoTnhYUHM3Q0JocVdVcXZ6UjAKVEhJSEJqZFl1Q00wOG1lcXFQWk9nVzRCVHZrR3hYSDl4dFhucWV6Z2NjZnNDMTRRTDdJZlU1N2xOTnhaaWREagp0SVl3Rzg3Z3EzMzdZcjgvZDIzTUVJTllCcGJ3VDhLRHFmanJxRks4U3pxSHlUMWg2WEkvRmpoUktKZUtMODdjCjFML21QNDJtSnY4K1R0TDIzU21yN3ZVdTk5aGtibW9XRzdsK0VKNnU4TEg1dVlhbXJ2ZHdueC9hZW1iUnlOZXMKdTV1STVZN2MrK1Y3OGtlbTNjNXNxQmlkcW81OElxQllpZ2NOZklac1pqZWF3a2ZUcmFwNFZHRXdjalMvQWFkcgo2c2VuUmNocVJyc295S3c3UnZCTTdydWEyMS9MdFBSeEZNR0lHSThPa0ZTWm4vd3ZpMDMxVmRTbDBYN3o5ZjJsCjdnazFNSUxOVGdFZEE0S3BUdW5ONGdRVG1UQW5PRTdVbncxOGhCN2xERmFrR3VKMVNEaGNDSXRTY3RidXJVUXMKWnVra1BpRTRnb0laSFhoYkZ5d042R2VpZDdvZGJ3bUYxOUZRaEZzcmREcktvZEEyWVdUL1hlWlNaVm91UXlsKwoyWXA1VGgwRG5BSzBKb0VwOHZHTjlVd0JZdVFZSXVkNjZ1ZGRPR0JUdFd5ekIwNjA2QmNabGxSbjQ3MVlsQ1dRCnQvZXQwU1VuYzhvUDFtTlpFbkFTUFNJV3FqdVNNRkNuWHZ6aDNGdXJOR3ZSRWk1Z3V5ajlKNTY1bTByWFRlVlEKR1ZFMHVTdEMrU3pRWXBsTW5GU3ZmdVVJeG40ZjNYWThCTlhyT05jeSt0eUl1NWk0RDZQT0Y5RUFqZ0RMc0xhegp6U2t1c3d0N3p0T1NWYkRWNDVYekFnTUJBQUdqY1RCdk1CMEdBMVVkRGdRV0JCUmVuOWp4MG9XRnQ2UHZFd2UvCjl5c3NweTF2YVRBZkJnTlZIU01FR0RBV2dCUmVuOWp4MG9XRnQ2UHZFd2UvOXlzc3B5MXZhVEFQQmdOVkhSTUIKQWY4RUJUQURBUUgvTUJ3R0ExVWRFUVFWTUJPQ0VXZHlkVzF3ZVM1bmNuVnRjSGt1YzNaak1BMEdDU3FHU0liMwpEUUVCQ3dVQUE0SUNBUUJPRW1zdk5VbkQrYkFOOUJqUHg5cGJRaTN5dFRCcEk4Y2hNWXllNHViYS9CUXpQRGpvCjNkcmxjTjA1ZTBoeWNSVG1rOXBYbVR4YWIvSkhrNWgzTmV2cFNIWVpQK2NvNlVOSkhLY2lkaXIwRmMzcEZLZEYKVmFEV3BIU2I0eGJjYUlVbnhKL3E1blNQQWRlQ0s2RGtoZlkxWXBibHpsaTArY2RWUWUyU2xLVVczRENKWkVmTgo0cmgvVm15V2JPZEVMc0NnWVkwN3lUVmcwcEM3Nm1pZVFodDd5RXBESTNVSG05UjArS1F6bWh6bjB1RU5ySjF6CnpIYUt3M3hlb3UxSG10dU04cXo1TWk4bXN1bTBVQ2FEeVRkc216L253OC9nNE9SQVFLRXlaOFBGVjM0YlFzM2QKNkpiTDVSQTVlS1lmOEc2WkpZbmoySWU3aFFnaThHR0hPbmJXb1ArVStpNkRXcU9PaU1IbWdZaURFTG5SQkxubAp4aHc2ajR1bS9vQTZYMVg4UnZlcEM0UnVoNTJxL0kvbktTM1N5MENBWUQ5YUhXN0RncEdrQ1F3TVh0VTIzV25xCi9IU1pDWmViZzhnZWg2b2pRMzN2aHFZV212ekF3bkdvQnNVN3RLRklaV0xidmV0WG1jdEhsYStiVTZTaUgvTzIKekxwSzRhbVBsMC96S0tPcXBkWUNCa0w2ODIweXVkMVRxYUtjK1ZyeFo1RVBvOEx4SGttWTg2QzRvaFNiZWZyLwozU2Z6bk8wcW0wMlRsL2NUYW44dm5CNjdEMVJMMlpocEVmVlJ4THE1R2Jnd3p4cTN0S0ZOdEkrelV0b2M4NkJECk9XalNmYzlLOVR6Y2dIWDhHZER4dFZJRy9NcFZSVUgyVkFSM0p3V2NRQi8vTExzTVplK1FqbmhwQXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
caBundle: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURKRENDQWd5Z0F3SUJBZ0lSQU1IbWFOZTdrdjNDYXVyVjFCWG5ObkF3RFFZSktvWklodmNOQVFFTEJRQXcKSERFYU1CZ0dBMVVFQXhNUlkyOXphV2R1TFhkbFltaHZiMnN0WTJFd0hoY05NalF3TVRFeU1UUXlNREExV2hjTgpNelF3TVRBNU1UUXlNREExV2pBY01Sb3dHQVlEVlFRREV4RmpiM05wWjI0dGQyVmlhRzl2YXkxallUQ0NBU0l3CkRRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFMbStSZXN5bWxVZlRpNW5lY0hRY2EwdTE2THIKTFExZkt3SUhJbVpscDB5OG83ZXd1UE55U1dwZ3lEOHFzVUlXeE1Wa3huQjM2ekdrTDloK0h2ekQ4RjF2ckRydApXcEF1ek5ieEwrc1pvd3ZZcjVRZWE3UXNSTDczVnovZncxWXVSeVk0Umg2elo4Rm1rTCswZjc1RWZpVzBLdjhiCnJwdHVucUtPdm9ERVVkL2F3R25ySXh4MC9KTWlIR091emVwWXlGWEtmMTRyOTlaMTQyMHRvdy9SUzZjT0t6dXEKSHlMTzJaeGJaQmtpeUY1TUVZbXk3L3JicU1kd29Ud29KOVJqeWVTQnlrbUwzbTQxQm9xeUIzckRBMkZObDlpdwpUc0JOTUJUOU1GYlhtWGp6aUZZeDZUU3lMRjQxODFQQmx2Sm5yeDBCMHlqbjduR0lmTGx4ZVdDV3NtTUNBd0VBCkFhTmhNRjh3RGdZRFZSMFBBUUgvQkFRREFnS2tNQjBHQTFVZEpRUVdNQlFHQ0NzR0FRVUZCd01CQmdnckJnRUYKQlFjREFqQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCU3NGUFU0OEhKNmdVVDF6aE9GQUt3awpXRGNVWVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUxON2FFbUtMVGpRbncranU0VkViZjJ4OWFtNEdlSmhOCjhobHVxZFMvdENYNHJmU0w1R1pWNGxFZ0lpSXNBWm9hOW9TRmU4bERxZTNhYXZIMnBOUHBRK3lHUldpdjlKUUUKZnJ0MkpzNC8xUlUvWHpiL3pWNHBqT3VXSCtwY29acGFVY20rc1JYYjFQeG5sMjlZYVdkdDRRdHhFNHJKVDlVSQp2U3dHWG1FaTR6MXpTWlNGRFh0Y24vQkFpMzZ2UHpnWDZxcG0vajhSSEFIK21mWXhZcExPQ2RpdWVmTkZLajRlCmtzU01RZjI4NW4rRDNWVUhlRHNFb2JQWDk5enIrOW1PdStvN044OVVCUXU1VzJhNFJIMkxmaFRWSUYzS3h1T3gKRXB0c1JXY0Z6OHRMcnlHOTBNcXBkU3JmZ0ljZXdNalhyV25RMi9TOVkraXNMUENGU3FPRGpRPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
rules:
- operations: ["CREATE","UPDATE"]
apiGroups: [""]
Expand Down
7 changes: 7 additions & 0 deletions manifests/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,13 @@ rules:
- serviceaccounts
verbs:
- get
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
Expand Down

0 comments on commit 9f57e0e

Please sign in to comment.