Skip to content

Commit

Permalink
docs: add RBAC section in README.md (#19)
Browse files Browse the repository at this point in the history
  • Loading branch information
matheusfm authored Jul 6, 2023
1 parent 547848d commit f37a7e9
Showing 1 changed file with 53 additions and 0 deletions.
53 changes: 53 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ Marvin is also used as a plugin in [Zora](https://zora-docs.undistro.io/latest/)
* [Built-in checks](#built-in-checks)
* [Custom checks](#custom-checks)
* [Skipping resources](#skipping-resources)
* [RBAC](#rbac)
* [Contributing](#contributing)
* [License](#license)
<!-- TOC -->
Expand Down Expand Up @@ -186,6 +187,58 @@ If you prefer to use a different annotation to skip checks,
you can use the `--skip-annotation` flag to specify the annotation name.
Example: `--skip-annotation='my-company.com/skip-checks'`

## RBAC

Currently, the built-in checks look for the below resources
and Marvin needs view (`get` and `list`) permission to verify them.

- `v1/pods`
- `v1/configmaps`
- `v1/services`
- `apps/v1/deployments`
- `apps/v1/daemonsets`
- `apps/v1/statefulsets`
- `apps/v1/replicasets`
- `batch/v1/cronjobs`
- `batch/v1/jobs`

<details>

<summary> Here is a sample `ClusterRole` for Marvin: </summary>

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: marvin
rules:
- apiGroups: [ "" ]
resources:
- configmaps
- pods
- services
verbs: [ "get", "list" ]
- apiGroups: [ "apps" ]
resources:
- daemonsets
- deployments
- statefulsets
- replicasets
verbs: [ "get", "list" ]
- apiGroups: [ batch ]
resources:
- jobs
- cronjobs
verbs: [ "get", "list" ]
```
</details>
> **Note**
> You can write a custom check to look at any resource.
> But Marvin needs view permission.
> Remember to update RBAC for new resources you want to check.
# Contributing
We appreciate your contribution.
Expand Down

0 comments on commit f37a7e9

Please sign in to comment.