From 9f9058e3c01ba24fd30cb868618318c6929a87e7 Mon Sep 17 00:00:00 2001
From: Victor <victor@xirion.net>
Date: Thu, 11 May 2023 15:06:18 +0200
Subject: [PATCH] expand rbac

---
 flux/olympus/apps/flux-system/rbac.yaml | 57 +++++++++++++++++--------
 1 file changed, 39 insertions(+), 18 deletions(-)

diff --git a/flux/olympus/apps/flux-system/rbac.yaml b/flux/olympus/apps/flux-system/rbac.yaml
index bf35310..f32f336 100644
--- a/flux/olympus/apps/flux-system/rbac.yaml
+++ b/flux/olympus/apps/flux-system/rbac.yaml
@@ -5,24 +5,45 @@ kind: ClusterRole
 metadata:
   name: weave-admin
 rules:
-  - apiGroups: [""]
-    resources: ["secrets", "pods" ]
-    verbs: [ "get", "list" ]
-  - apiGroups: ["apps"]
-    resources: [ "deployments", "replicasets"]
-    verbs: [ "get", "list" ]
-  - apiGroups: ["kustomize.toolkit.fluxcd.io"]
-    resources: [ "kustomizations" ]
-    verbs: [ "get", "list", "patch" ]
-  - apiGroups: ["helm.toolkit.fluxcd.io"]
-    resources: [ "helmreleases" ]
-    verbs: [ "get", "list", "patch" ]
-  - apiGroups: ["source.toolkit.fluxcd.io"]
-    resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
-    verbs: [ "get", "list", "patch" ]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["get", "watch", "list"]
+# Flux Resources
+- apiGroups: ["kustomize.toolkit.fluxcd.io"]
+  resources: [ "kustomizations" ]
+  verbs: [ "get", "list", "patch" ]
+- apiGroups: ["helm.toolkit.fluxcd.io"]
+  resources: [ "helmreleases" ]
+  verbs: [ "get", "list", "patch" ]
+- apiGroups: ["source.toolkit.fluxcd.io"]
+  resources: [ "buckets", "helmcharts", "gitrepositories", "helmrepositories", "ocirepositories" ]
+  verbs: [ "get", "list", "patch" ]
+- apiGroups: [ "notification.toolkit.fluxcd.io" ]
+  resources: [ "providers", "alerts" ]
+  verbs: [ "get", "list" ]
+- apiGroups: ["infra.contrib.fluxcd.io"]
+  resources: ["terraforms"]
+  verbs: [ "get", "list", "patch" ]
+# Resources managed via Flux
+- apiGroups: [""]
+  resources: ["configmaps", "secrets", "pods", "services", "namespaces", "persistentvolumes", "persistentvolumeclaims"]
+  verbs: [ "get", "list" ]
+- apiGroups: ["apps"]
+  resources: [ "deployments", "replicasets", "statefulsets"]
+  verbs: [ "get", "list" ]
+- apiGroups: ["batch"]
+  resources: [ "jobs", "cronjobs"]
+  verbs: [ "get", "list" ]
+- apiGroups: ["autoscaling"]
+  resources: ["horizontalpodautoscalers"]
+  verbs: [ "get", "list" ]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings"]
+  verbs: [ "get", "list" ]
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: [ "get", "list" ]
+# Feedback
+- apiGroups: [""]
+  resources: ["events"]
+  verbs: ["get", "watch", "list"]
 ---
 # Bind the cluster admin role to admins
 apiVersion: rbac.authorization.k8s.io/v1