kubernetes-templates/semaphoreui.yml

@@ -5,6 +5,36 @@ metadata:
   name: semaphore
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: semaphore-sa
+  namespace: semaphore
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: semaphore-role
+  namespace: semaphore
+rules:
+  - apiGroups: [""]
+    resources: ["pods", "secrets", "configmaps"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: semaphore-rb
+  namespace: semaphore
+subjects:
+  - kind: ServiceAccount
+    name: semaphore-sa
+    namespace: semaphore
+roleRef:
+  kind: Role
+  name: semaphore-role
+  apiGroups: rbac.authorization.k8s.io
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: semaphore-data-pvc
@@ -58,6 +88,7 @@ spec:
       labels:
         app: semaphore
     spec:
+      serviceAccountName: semaphore-sa
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -116,22 +147,20 @@ spec:
           volumeMounts:
             - name: semaphore-persistent-storage
               mountPath: /home/semaphore
-              subPath: home
             - name: semaphore-persistent-storage
               mountPath: /tmp/semaphore
               subPath: tmp
-            - name: ssh-keys-secret
+            - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519
               subPath: id_ed25519
-            - name: ssh-keys-secret
+            - name: ssh-keys-volume
               mountPath: /home/semaphore/.ssh/id_ed25519.pub
               subPath: id_ed25519.pub
-
       volumes:
         - name: semaphore-persistent-storage
           persistentVolumeClaim:
             claimName: semaphore-data-pvc
-        - name: ssh-keys-secret
+        - name: ssh-keys-volume
           secret:
             secretName: semaphore-secrets
             defaultMode: 384