diff --git a/kubernetes-templates/semaphoreui.yml b/kubernetes-templates/semaphoreui.yml index 8303bc4..6119d07 100644 --- a/kubernetes-templates/semaphoreui.yml +++ b/kubernetes-templates/semaphoreui.yml @@ -5,6 +5,36 @@ metadata: name: semaphore --- apiVersion: v1 +kind: ServiceAccount +metadata: + name: semaphore-sa + namespace: semaphore +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: semaphore-role + namespace: semaphore +rules: + - apiGroups: [""] + resources: ["pods", "secrets", "configmaps"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: semaphore-rb + namespace: semaphore +subjects: + - kind: ServiceAccount + name: semaphore-sa + namespace: semaphore +roleRef: + kind: Role + name: semaphore-role + apiGroups: rbac.authorization.k8s.io +--- +apiVersion: v1 kind: PersistentVolumeClaim metadata: name: semaphore-data-pvc @@ -58,6 +88,7 @@ spec: labels: app: semaphore spec: + serviceAccountName: semaphore-sa affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -116,22 +147,20 @@ spec: volumeMounts: - name: semaphore-persistent-storage mountPath: /home/semaphore - subPath: home - name: semaphore-persistent-storage mountPath: /tmp/semaphore subPath: tmp - - name: ssh-keys-secret + - name: ssh-keys-volume mountPath: /home/semaphore/.ssh/id_ed25519 subPath: id_ed25519 - - name: ssh-keys-secret + - name: ssh-keys-volume mountPath: /home/semaphore/.ssh/id_ed25519.pub subPath: id_ed25519.pub - volumes: - name: semaphore-persistent-storage persistentVolumeClaim: claimName: semaphore-data-pvc - - name: ssh-keys-secret + - name: ssh-keys-volume secret: secretName: semaphore-secrets defaultMode: 384