From a7aaa3e4a548b7e5f1484223bc1a261750acb999 Mon Sep 17 00:00:00 2001 From: Ultradesu Date: Thu, 5 Feb 2026 12:15:47 +0200 Subject: [PATCH] Added RBAC --- k8s/apps/n8n/kustomization.yaml | 1 + k8s/apps/n8n/rbac.yaml | 71 +++++++++++++++++++++++++++++++++ k8s/apps/n8n/values-n8n.yaml | 6 +++ 3 files changed, 78 insertions(+) create mode 100644 k8s/apps/n8n/rbac.yaml diff --git a/k8s/apps/n8n/kustomization.yaml b/k8s/apps/n8n/kustomization.yaml index f422621..2055662 100644 --- a/k8s/apps/n8n/kustomization.yaml +++ b/k8s/apps/n8n/kustomization.yaml @@ -5,6 +5,7 @@ kind: Kustomization resources: - external-secrets.yaml - storage.yaml + - rbac.yaml helmCharts: - name: n8n diff --git a/k8s/apps/n8n/rbac.yaml b/k8s/apps/n8n/rbac.yaml new file mode 100644 index 0000000..b773da5 --- /dev/null +++ b/k8s/apps/n8n/rbac.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: n8n-readonly +rules: +- apiGroups: [""] + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - persistentvolumes + - configmaps + - secrets + - nodes + - namespaces + - events + verbs: ["get", "list", "watch"] +- apiGroups: ["apps"] + resources: + - deployments + - replicasets + - statefulsets + - daemonsets + verbs: ["get", "list", "watch"] +- apiGroups: ["networking.k8s.io"] + resources: + - ingresses + - networkpolicies + verbs: ["get", "list", "watch"] +- apiGroups: ["extensions"] + resources: + - ingresses + verbs: ["get", "list", "watch"] +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["get", "list", "watch"] +- apiGroups: ["batch"] + resources: + - jobs + - cronjobs + verbs: ["get", "list", "watch"] +- apiGroups: ["metrics.k8s.io"] + resources: + - pods + - nodes + verbs: ["get", "list"] +- apiGroups: ["storage.k8s.io"] + resources: + - storageclasses + verbs: ["get", "list", "watch"] +- apiGroups: ["policy"] + resources: + - poddisruptionbudgets + verbs: ["get", "list", "watch"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: n8n-readonly +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: n8n-readonly +subjects: +- kind: ServiceAccount + name: n8n-readonly + namespace: n8n \ No newline at end of file diff --git a/k8s/apps/n8n/values-n8n.yaml b/k8s/apps/n8n/values-n8n.yaml index 559381c..39b0706 100644 --- a/k8s/apps/n8n/values-n8n.yaml +++ b/k8s/apps/n8n/values-n8n.yaml @@ -54,6 +54,12 @@ redis: existingEncryptionKeySecret: credentials +serviceAccount: + create: true + automount: true + annotations: {} + name: "n8n-readonly" + externalPostgresql: existingSecret: credentials host: "psql.psql.svc"