From 7da1d705a4258d9de81d3b7678cdeff0a42eaeed Mon Sep 17 00:00:00 2001
From: Remy Moll <me@moll.re>
Date: Sun, 7 Jan 2024 11:51:20 +0100
Subject: [PATCH] update authorization

---
 infrastructure/external-dns/deployment.yaml   |  1 +
 .../external-dns/kustomization.yaml           |  1 +
 infrastructure/external-dns/rbac.yaml         | 32 +++++++++++++++++++
 3 files changed, 34 insertions(+)
 create mode 100644 infrastructure/external-dns/rbac.yaml

diff --git a/infrastructure/external-dns/deployment.yaml b/infrastructure/external-dns/deployment.yaml
index bc996fe..e25de88 100644
--- a/infrastructure/external-dns/deployment.yaml
+++ b/infrastructure/external-dns/deployment.yaml
@@ -13,6 +13,7 @@ spec:
       labels:
         app: external-dns
     spec:
+      serviceAccountName: external-dns
       containers:
       - name: external-dns
         image: external-dns
diff --git a/infrastructure/external-dns/kustomization.yaml b/infrastructure/external-dns/kustomization.yaml
index 7540a17..6684fd1 100644
--- a/infrastructure/external-dns/kustomization.yaml
+++ b/infrastructure/external-dns/kustomization.yaml
@@ -7,6 +7,7 @@ resources:
   - namespace.yaml
   - cloudflare.sealedsecret.yaml
   - deployment.yaml
+  - rbac.yaml
 
 images:
   - name: external-dns
diff --git a/infrastructure/external-dns/rbac.yaml b/infrastructure/external-dns/rbac.yaml
new file mode 100644
index 0000000..a8ae114
--- /dev/null
+++ b/infrastructure/external-dns/rbac.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: external-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: external-dns
+rules:
+- apiGroups: [""]
+  resources: ["services","endpoints","pods"]
+  verbs: ["get","watch","list"]
+- apiGroups: ["extensions","networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get","watch","list"]
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: external-dns-viewer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-dns
+subjects:
+- kind: ServiceAccount
+  name: external-dns
+  namespace: external-dns