Mayne0213/jovies
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37a7dbd561ea39e98ffc7ee9ec9ff37992556d64
jovies/deploy/kaniko/rbac.yaml
Mayne0213 37a7dbd561 CHORE(deploy): use argocd for kaniko 
Infrastructure as Code:
- Add Kaniko namespace and RBAC manifests
- Create ArgoCD Application for Kaniko infrastructure
- Kustomize configuration for Kaniko resources

Workflow improvements:
- Remove kubeconfig dependency
- Use in-cluster ServiceAccount (runner runs in K8s)
- Remove all sudo commands
- Simplify Kubernetes access

GitOps workflow:
1. Push manifests to Git
2. ArgoCD auto-syncs infrastructure
3. Gitea runner uses ServiceAccount permissions
4. Kaniko builds run in kaniko-builds namespace

Benefits:
- True GitOps approach
- No secrets management needed
- Declarative infrastructure
- ArgoCD handles reconciliation
- Audit trail in Git
2025-12-28 17:36:10 +09:00

70 lines
1.6 KiB
YAML
Raw Blame History

---
# ServiceAccount for Gitea runner (optional, if you want dedicated SA)
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitea-runner
namespace: gitea
---
# Role to manage Kaniko builds
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kaniko-builder
namespace: kaniko-builds
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["create", "get", "list", "delete"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["create", "get", "list", "watch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "create", "update", "patch"]
---
# RoleBinding for default ServiceAccount in gitea namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: gitea-runner-kaniko-builder
namespace: kaniko-builds
subjects:
- kind: ServiceAccount
name: default
namespace: gitea
roleRef:
kind: Role
name: kaniko-builder
apiGroup: rbac.authorization.k8s.io
---
# ClusterRole to create namespaces (if needed)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: namespace-creator
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["create", "get", "list"]
---
# ClusterRoleBinding for default ServiceAccount in gitea namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gitea-runner-namespace-creator
subjects:
- kind: ServiceAccount
name: default
namespace: gitea
roleRef:
kind: ClusterRole
name: namespace-creator
apiGroup: rbac.authorization.k8s.io
Reference in New Issue View Git Blame Copy Permalink