claude/k8s-apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

rbac: extend k8s-audit SA for deep-audit script
All checks were successful
AI Review / AI Code Review (pull_request) Successful in 1s
Details
PR Checks / Validate & Security Scan (pull_request) Successful in 11s
Details

Browse Source 
Add PVC, ArgoCD Application, and Deployment read access
so deep-audit.sh can use least-privilege k8s-audit SA
instead of admin-emergency kubeconfig.
This commit is contained in:
Claude 2026-02-23 10:28:45 +01:00
parent 9d79db71d9
commit f21106dbad
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
apps/operational-rbac/k8s-audit-rbac.yaml
View File

@ -46,6 +46,18 @@ rules:
- apiGroups: ["aquasecurity.github.io"]
resources: ["vulnerabilityreports"]
verbs: ["get", "list"]
# deep-audit: kubectl get pvc -n dev/staging/prod (orphaned PVC check)
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list"]
# deep-audit: kubectl get app -n argocd (sync status check)
- apiGroups: ["argoproj.io"]
resources: ["applications"]
verbs: ["get", "list"]
# deep-audit: kubectl get deploy (version drift check)
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding