# Following examples shares all clusters with label env=internal # with two tenants: eng/devops and hr/devops (each tenant admin # is represented by a ServiceAccount). # eng/devops has full control of namespaces ci-cd and build # hr/devops has full control of namespace human-resource # ConfigMap contains a Role which gives # full access to namespace ci-cd and build apiVersion: v1 kind: ConfigMap metadata: name: eng-shared-access namespace: default data: ci_cd_role.yaml: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: edit-role namespace: ci-cd rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] build_role.yaml: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: edit-role namespace: build rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] --- # RoleRequest gives admin 'eng/devops' access to namespaces # 'ci-cd' and 'cuild' in all clusters matching the label # selector env=internal apiVersion: lib.projectsveltos.io/v1alpha1 kind: RoleRequest metadata: name: eng-access spec: clusterSelector: env=internal serviceAccountName: devops serviceAccountNamespace: eng roleRefs: - name: eng-shared-access namespace: default kind: ConfigMap --- # ConfigMap contains a Role which gives # full access to namespace human-resource apiVersion: v1 kind: ConfigMap metadata: name: hr-shared-access namespace: default data: ci_cd_role.yaml: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: edit-role namespace: human-resource rules: - apiGroups: ["*"] resources: ["*"] verbs: ["*"] --- # RoleRequest gives admin 'hr/devops' access to namespace # 'human-resource' in all clusters matching the label # selector env=internal apiVersion: lib.projectsveltos.io/v1alpha1 kind: RoleRequest metadata: name: hr-access spec: clusterSelector: env=internal serviceAccountName: devops serviceAccountNamespace: hr roleRefs: - name: hr-shared-access namespace: default kind: ConfigMap