fix: use namespaced Role and RoleBinding instead of ClusterRole

SocialGouv · Oct 27, 2022 · a39479f · a39479f
1 parent d0ebb57
commit a39479f
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/nsplease.sh b/nsplease.sh
@@ -24,9 +24,16 @@ main() {
     while read -r NAMESPACE PROJECT; do
       info "got labelled namespace: $NAMESPACE $PROJECT"
 
+      # create privileged role in requested namespace
+      out kubectl create role nsplease-role \
+        --namespace="$NAMESPACE" \
+        --verb="*" \
+        --resource="*"
+
       # give rights on namespace to project's ServiceAccount
-      out kubectl create clusterrolebinding "nsplease-crb-$PROJECT-$NAMESPACE" \
-        --clusterrole=cluster-admin \
+      out kubectl create rolebinding "nsplease-rb-$PROJECT-$NAMESPACE" \
+        --namespace="$NAMESPACE" \
+        --role=nsplease-role \
         --serviceaccount="$PROJECT:nsplease-sa"
 
       # remove label to avoid doing this again for the same namespace