64 lines
1.4 KiB
YAML
64 lines
1.4 KiB
YAML
# Namespace Isolation Configuration
|
|
# Network Policies and RBAC for shared clusters
|
|
|
|
apiVersion: v1
|
|
kind: Namespace
|
|
metadata:
|
|
name: shared-services
|
|
labels:
|
|
name: shared-services
|
|
type: shared
|
|
---
|
|
# Network Policy: Allow ingress from shared-services namespace
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: allow-from-shared-services
|
|
namespace: default
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
name: shared-services
|
|
---
|
|
# RBAC: Service Account for shared services
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: shared-services-sa
|
|
namespace: shared-services
|
|
---
|
|
# Role: Limited permissions for shared services
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: shared-services-role
|
|
namespace: shared-services
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "services"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: ["apps"]
|
|
resources: ["deployments"]
|
|
verbs: ["get", "list", "watch"]
|
|
---
|
|
# RoleBinding: Bind role to service account
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: shared-services-binding
|
|
namespace: shared-services
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: shared-services-sa
|
|
namespace: shared-services
|
|
roleRef:
|
|
kind: Role
|
|
name: shared-services-role
|
|
apiGroup: rbac.authorization.k8s.io
|
|
|