# Tekton RBAC Configuration for Bakery-IA CI/CD # This file defines ServiceAccounts, Roles, and RoleBindings for Tekton --- # ServiceAccount for Tekton Triggers EventListener apiVersion: v1 kind: ServiceAccount metadata: name: tekton-triggers-sa namespace: tekton-pipelines labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: triggers --- # ServiceAccount for Pipeline execution apiVersion: v1 kind: ServiceAccount metadata: name: tekton-pipeline-sa namespace: tekton-pipelines labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: pipeline --- # ClusterRole for Tekton Triggers to create PipelineRuns apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-triggers-role labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: triggers rules: # Ability to create PipelineRuns from triggers - apiGroups: ["tekton.dev"] resources: ["pipelineruns", "taskruns"] verbs: ["create", "get", "list", "watch"] # Ability to read pipelines and tasks - apiGroups: ["tekton.dev"] resources: ["pipelines", "tasks", "clustertasks"] verbs: ["get", "list", "watch"] # Ability to manage PVCs for workspaces - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["create", "get", "list", "watch", "delete"] # Ability to read secrets for credentials - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] # Ability to read configmaps - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] # Ability to manage events for logging - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- # ClusterRoleBinding for Tekton Triggers apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tekton-triggers-binding labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: triggers subjects: - kind: ServiceAccount name: tekton-triggers-sa namespace: tekton-pipelines roleRef: kind: ClusterRole name: tekton-triggers-role apiGroup: rbac.authorization.k8s.io --- # ClusterRole for Pipeline execution (needed for git operations and deployments) apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tekton-pipeline-role labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: pipeline rules: # Ability to read/update deployments for GitOps - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "patch", "update"] # Ability to read secrets for credentials - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list", "watch"] # Ability to read configmaps - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "watch"] # Ability to manage pods for build operations - apiGroups: [""] resources: ["pods", "pods/log"] verbs: ["get", "list", "watch"] --- # ClusterRoleBinding for Pipeline execution apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: tekton-pipeline-binding labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: pipeline subjects: - kind: ServiceAccount name: tekton-pipeline-sa namespace: tekton-pipelines roleRef: kind: ClusterRole name: tekton-pipeline-role apiGroup: rbac.authorization.k8s.io --- # Role for EventListener to access triggers resources apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tekton-triggers-eventlistener-role namespace: tekton-pipelines labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: triggers rules: - apiGroups: ["triggers.tekton.dev"] resources: ["eventlisteners", "triggerbindings", "triggertemplates", "triggers", "interceptors"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["configmaps", "secrets"] verbs: ["get", "list", "watch"] --- # RoleBinding for EventListener apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: tekton-triggers-eventlistener-binding namespace: tekton-pipelines labels: app.kubernetes.io/name: bakery-ia-cicd app.kubernetes.io/component: triggers subjects: - kind: ServiceAccount name: tekton-triggers-sa namespace: tekton-pipelines roleRef: kind: Role name: tekton-triggers-eventlistener-role apiGroup: rbac.authorization.k8s.io