From e1196d437f9578f77260003030b66940e5d72975 Mon Sep 17 00:00:00 2001 From: Khwezi Date: Sun, 12 Apr 2026 13:50:09 +0200 Subject: [PATCH 1/2] Added a semaphore service account --- kubernetes-templates/semaphoreui.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/kubernetes-templates/semaphoreui.yml b/kubernetes-templates/semaphoreui.yml index 8303bc4..d787185 100644 --- a/kubernetes-templates/semaphoreui.yml +++ b/kubernetes-templates/semaphoreui.yml @@ -5,6 +5,12 @@ metadata: name: semaphore --- apiVersion: v1 +kind: ServiceAccount +metadata: + name: semaphore-sa + namespace: semaphore +--- +apiVersion: v1 kind: PersistentVolumeClaim metadata: name: semaphore-data-pvc @@ -58,6 +64,7 @@ spec: labels: app: semaphore spec: + serviceAccountName: semaphore-sa affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -120,18 +127,14 @@ spec: - name: semaphore-persistent-storage mountPath: /tmp/semaphore subPath: tmp - - name: ssh-keys-secret - mountPath: /home/semaphore/.ssh/id_ed25519 - subPath: id_ed25519 - - name: ssh-keys-secret - mountPath: /home/semaphore/.ssh/id_ed25519.pub - subPath: id_ed25519.pub - + - name: ssh-keys-volume + mountPath: /home/semaphore/.ssh + readOnly: true volumes: - name: semaphore-persistent-storage persistentVolumeClaim: claimName: semaphore-data-pvc - - name: ssh-keys-secret + - name: ssh-keys-volume secret: secretName: semaphore-secrets defaultMode: 384 From 2d4ccc7910d7dbb6321feaf8dfbb15ce1a726ac8 Mon Sep 17 00:00:00 2001 From: Khwezi Date: Sun, 12 Apr 2026 13:54:24 +0200 Subject: [PATCH 2/2] Added semaphore role binding --- kubernetes-templates/semaphoreui.yml | 32 +++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/kubernetes-templates/semaphoreui.yml b/kubernetes-templates/semaphoreui.yml index d787185..6119d07 100644 --- a/kubernetes-templates/semaphoreui.yml +++ b/kubernetes-templates/semaphoreui.yml @@ -10,6 +10,30 @@ metadata: name: semaphore-sa namespace: semaphore --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: semaphore-role + namespace: semaphore +rules: + - apiGroups: [""] + resources: ["pods", "secrets", "configmaps"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: semaphore-rb + namespace: semaphore +subjects: + - kind: ServiceAccount + name: semaphore-sa + namespace: semaphore +roleRef: + kind: Role + name: semaphore-role + apiGroups: rbac.authorization.k8s.io +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -123,13 +147,15 @@ spec: volumeMounts: - name: semaphore-persistent-storage mountPath: /home/semaphore - subPath: home - name: semaphore-persistent-storage mountPath: /tmp/semaphore subPath: tmp - name: ssh-keys-volume - mountPath: /home/semaphore/.ssh - readOnly: true + mountPath: /home/semaphore/.ssh/id_ed25519 + subPath: id_ed25519 + - name: ssh-keys-volume + mountPath: /home/semaphore/.ssh/id_ed25519.pub + subPath: id_ed25519.pub volumes: - name: semaphore-persistent-storage persistentVolumeClaim: