admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3ef3a6bc98b790480577e87fbc75bee5b3438862
kubesphere/config/ks-core/templates/builtinroles.yaml
KubeSphere CI Bot f89c55c484 [release-4.1] adjust the authorization rules for workspace roles (#6331) 
adjust the authorization rules for workspace roles

Signed-off-by: hongming <coder.scala@gmail.com>
Co-authored-by: hongming <coder.scala@gmail.com>
2025-01-07 09:39:25 +08:00

252 lines
6.4 KiB
YAML
Raw Blame History

apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
labels:
iam.kubesphere.io/scope: "namespace"
name: project-admin
targetSelector:
matchLabels:
kubesphere.io/managed: "true"
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/scope: "namespace"
kubesphere.io/managed: "true"
apiVersion: iam.kubesphere.io/v1beta1
kind: Role
metadata:
annotations:
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "管理项目中的所有资源。", "en": "Manage all resources in the project."}'
iam.kubesphere.io/auto-aggregate: "true"
name: admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
labels:
iam.kubesphere.io/scope: "namespace"
name: project-operator
targetSelector:
matchLabels:
kubesphere.io/managed: "true"
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/aggregate-to-operator: ""
kubesphere.io/managed: "true"
iam.kubesphere.io/scope: "namespace"
apiVersion: iam.kubesphere.io/v1beta1
kind: Role
metadata:
annotations:
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "管理项目中除用户和角色之外的资源。", "en": "Manage resources other than users and roles in the project."}'
iam.kubesphere.io/auto-aggregate: "true"
name: operator
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- ""
- apps
- extensions
- batch
- autoscaling
- app.k8s.io
- operations.kubesphere.io
- resources.kubesphere.io
- config.istio.io
- events.k8s.io
- events.kubesphere.io
- snapshot.storage.k8s.io
- networking.k8s.io
resources:
- '*'
verbs:
- '*'
---
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
labels:
iam.kubesphere.io/scope: "namespace"
name: project-viewer
targetSelector:
matchLabels:
kubesphere.io/managed: "true"
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/aggregate-to-viewer: ""
kubesphere.io/managed: "true"
iam.kubesphere.io/scope: "namespace"
apiVersion: iam.kubesphere.io/v1beta1
kind: Role
metadata:
annotations:
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "查看项目中的所有资源。", "en": "View all resources in the project."}'
iam.kubesphere.io/auto-aggregate: "true"
name: viewer
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
---
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
name: workspace-admin
labels:
iam.kubesphere.io/scope: "workspace"
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/scope: 'workspace'
templateNames:
- workspace-manage-workspace-settings
- workspace-view-workspace-settings
- workspace-manage-projects
- workspace-view-projects
- workspace-create-projects
- workspace-view-members
- workspace-manage-members
- workspace-manage-roles
- workspace-view-roles
- workspace-manage-groups
- workspace-view-groups
apiVersion: iam.kubesphere.io/v1beta1
kind: WorkspaceRole
metadata:
annotations:
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "管理企业空间中的所有资源。", "en": "Manage all resources in the workspace."}'
iam.kubesphere.io/auto-aggregate: "true"
name: admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
name: workspace-regular
labels:
iam.kubesphere.io/scope: "workspace"
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/aggregate-to-regular: ""
iam.kubesphere.io/scope: "workspace"
templateNames:
- workspace-view-workspace-settings
- workspace-view-members
- workspace-view-roles
apiVersion: iam.kubesphere.io/v1beta1
kind: WorkspaceRole
metadata:
annotations:
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "查看企业空间设置。", "en": "View workspace settings."}'
iam.kubesphere.io/auto-aggregate: "true"
name: regular
rules: []
---
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
name: workspace-self-provisioner
labels:
iam.kubesphere.io/scope: "workspace"
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/aggregate-to-self-provisioner: ""
iam.kubesphere.io/scope: "workspace"
templateNames:
- workspace-create-projects
- workspace-view-workspace-settings
- workspace-view-members
- workspace-view-roles
- workspace-view-app-repos
apiVersion: iam.kubesphere.io/v1beta1
kind: WorkspaceRole
metadata:
annotations:
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "查看企业设置、创建项目。", "en": "View workspace settings, create projects."}'
iam.kubesphere.io/auto-aggregate: "true"
name: self-provisioner
rules: []
---
apiVersion: iam.kubesphere.io/v1beta1
kind: BuiltinRole
metadata:
name: workspace-viewer
labels:
iam.kubesphere.io/scope: "workspace"
role:
aggregationRoleTemplates:
roleSelector:
matchLabels:
iam.kubesphere.io/scope: "workspace"
iam.kubesphere.io/aggregate-to-viewer: ""
templateNames:
- workspace-view-projects
- workspace-view-members
- workspace-view-roles
- workspace-view-groups
- workspace-view-workspace-settings
apiVersion: iam.kubesphere.io/v1beta1
kind: WorkspaceRole
metadata:
annotations:
kubesphere.io/creator: system
kubesphere.io/description: '{"zh": "查看企业空间中的所有资源。", "en": "View all resources in the workspace."}'
iam.kubesphere.io/auto-aggregate: "true"
name: viewer
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
Reference in New Issue View Git Blame Copy Permalink