Define restricted and cluster admin SAs

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

clusters/staging/tenants/flux.yaml

@@ -0,0 +1,37 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: staging
+  labels:
+    toolkit.fluxcd.io/tenant: admin-team
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: admin-team
+  name: flux-restricted
+  namespace: staging
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: admin-team
+  name: flux-cluster-admin
+  namespace: staging
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    toolkit.fluxcd.io/tenant: admin-team
+  name: flux-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: flux-cluster-admin
+    namespace: staging

clusters/staging/tenants/podinfo.yaml

@@ -20,5 +20,5 @@ roleRef:
   name: cluster-admin
 subjects:
   - kind: ServiceAccount
-    name: flux-apps
+    name: flux-restricted
     namespace: staging

clusters/staging/tenants/staging.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: staging
-  labels:
-    toolkit.fluxcd.io/tenant: dev-team
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    toolkit.fluxcd.io/tenant: dev-team
-  name: flux-apps
-  namespace: staging

hub/staging.yaml

@@ -53,4 +53,4 @@ spec:
               name: cluster-kubeconfig
         - op: add
           path: /spec/serviceAccountName
-          value: flux-apps
+          value: flux-restricted