Runbook: Kubernetes RBAC (noble)

Headlamp (clusters/noble/apps/headlamp/values.yaml): the chart’s ClusterRoleBinding uses the built-in edit ClusterRole — not cluster-admin. Break-glass changes use kubectl with an admin kubeconfig.

Argo CD (clusters/noble/bootstrap/argocd/values.yaml): policy.default: role:readonly — new OIDC/Git users get read-only unless you add g, <user-or-group>, role:admin (or another role) in configs.rbac.policy.csv. Local user admin stays role:admin via g, admin, role:admin.

Audits

kubectl get clusterrolebindings -o custom-columns='NAME:.metadata.name,ROLE:.roleRef.name,SA:.subjects[?(@.kind=="ServiceAccount")].name,NS:.subjects[?(@.kind=="ServiceAccount")].namespace' | grep -E 'NAME|cluster-admin|headlamp|argocd'

References: Headlamp chart RBAC, Argo CD RBAC.

1.0 KiB Raw Blame History Unescape Escape

Runbook: Kubernetes RBAC (noble)

1.0 KiB

Raw Blame History