-
Notifications
You must be signed in to change notification settings - Fork 1
/
sandbox-config.yaml
149 lines (136 loc) · 2.63 KB
/
sandbox-config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# Flowify needs a namespace to store config maps.
# No other data will be stored in the config ns
---
# Namespace
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/part-of: "flowify"
name: "sandbox-config"
# Each workspace consists of a namespace
# and a config map (stored in the config namespace)
---
# Namespace 'sandbox-project-a'
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/part-of: "flowify"
name: "sandbox-project-a"
---
# Developer workspace environment
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: "workspace-config"
app.kubernetes.io/part-of: "flowify"
name: "sandbox-project-a"
# config lookup via command-line flag `namespace`, default to test
namespace: "sandbox-config"
data:
roles: "[[\"sandbox-developer\"]]"
---
# Namespace 'sandbox-project-b'
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/part-of: "flowify"
name: "sandbox-project-b"
---
# Workdspce/project
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: "workspace-config"
app.kubernetes.io/part-of: "flowify"
name: "sandbox-project-b"
# config lookup via command-line flag `namespace`, default to test
namespace: "sandbox-config"
data:
roles: "[\"sandbox-admin\"]"
---
# Role for sandbox-project-a
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: workflow-role
namespace: sandbox-project-a
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- watch
- patch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- watch
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- get
- update
- apiGroups:
- argoproj.io
resources:
- workflows
verbs:
- create
- get
- apiGroups:
- argoproj.io
resources:
- workflowtasksets
- workflowtasksets/finalizers
verbs:
- list
- watch
- get
- update
- patch
---
# Role binding for sandbox-project-a
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: workflow-project-a-binding
namespace: sandbox-project-a
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: workflow-role
subjects:
- kind: ServiceAccount
name: default
namespace: sandbox-project-a
---
# Role descriptions
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/part-of: "flowify"
name: "role-descriptions"
namespace: "sandbox-config"
data:
"sandbox-developer": "Need to play in the sandbox"
"sandbox-admin": "Required for God-mode"