Rbacs for plain k8s stack (#840)

* plain k8s stack

Signed-off-by: Srinivasan Parthasarathy <[email protected]>

* install for plain k8s

Signed-off-by: Srinivasan Parthasarathy <[email protected]>

Author: sriumcp

install/core/rbac/stacks/iter8-plain-k8s/kustomization.yaml

@@ -0,0 +1,3 @@
+resources:
+- rolebindings.yaml
+- roles.yaml

install/core/rbac/stacks/iter8-plain-k8s/rolebindings.yaml

@@ -0,0 +1,27 @@
+# This cluster role binding enables Iter8 handler to watch 
+# K8s services in the cluster in any namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: svc-for-plain-k8s
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: svc-for-plain-k8s
+subjects:
+- kind: ServiceAccount
+  name: handlers
+---
+# This cluster role binding enables Iter8 handler to watch
+# K8s deployments and deployment status in any namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: deploy-for-plain-k8s
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: deploy-for-plain-k8s
+subjects:
+- kind: ServiceAccount
+  name: handlers

install/core/rbac/stacks/iter8-plain-k8s/roles.yaml

@@ -0,0 +1,39 @@
+# This cluster role enables getting and watching K8s services
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: svc-for-plain-k8s
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
+---
+# This cluster role enables watching K8s deployments and their statuses
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: deploy-for-plain-k8s
+rules:
+- apiGroups:
+  - "extensions"
+  - "apps"
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - "extensions"
+  - "apps"
+  resources:
+  - deployments/status
+  verbs:
+  - get
+  - list
+  - watch

install/core/rbac/stacks/kustomization.yaml

@@ -16,3 +16,4 @@ resources:
 - iter8-istio
 - iter8-kfserving
 - iter8-seldon
+- iter8-plain-k8s

mkdocs/docs/getting-started/install.md

@@ -24,7 +24,8 @@ kubectl wait --for=condition=Ready pods --all -n iter8-system
 To select the version of Iter8 during installation, select any Iter8 version (>= v0.6.0) from  [Iter8's release history](https://github.com/iter8-tools/iter8/releases) and use it as the `TAG` above.
 
 ## RBAC rules
-As part of Iter8 installation, the following RBAC rules are also installed in your cluster.
+As part of Iter8 installation, the following RBAC rules are also installed in your cluster. You can Kustomize Iter8 installation in order to install Iter8 only for the K8s environments of your choice, and eliminate RBAC rules not needed in your environment.
+
 ??? info "Default RBAC Rules"
     | Resource | Permissions | Scope |
     | ----- | ---- | ----------- |
@@ -39,3 +40,5 @@ As part of Iter8 installation, the following RBAC rules are also installed in yo
     | virtualservices.networking.istio.io | get, list, patch, update, create, delete | Cluster-wide |
     | destinationrules.networking.istio.io | get, list, patch, update, create, delete | Cluster-wide |
     | seldondeployments.machinelearning.seldon.io | get, list, patch, update | Cluster-wide |
+    | services | get, list, watch | Cluster-wide |
+    | deployments | get, list, watch | Cluster-wide |