# Apache Guacamole - Remote Desktop Gateway # MySQL 8 + guacd + guacamole web # ArgoCD managed - BlueJay Lab # ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials) # Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL --- apiVersion: v1 kind: Namespace metadata: name: guacamole labels: app.kubernetes.io/part-of: bluejay-infra --- # MySQL 8 StatefulSet apiVersion: apps/v1 kind: StatefulSet metadata: name: guac-mysql namespace: guacamole labels: app: guac-mysql spec: serviceName: guac-mysql replicas: 1 selector: matchLabels: app: guac-mysql template: metadata: labels: app: guac-mysql spec: containers: - name: mysql image: mysql:8.0 ports: - containerPort: 3306 name: mysql env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: guacamole-credentials key: DB-Root-Password - name: MYSQL_DATABASE valueFrom: secretKeyRef: name: guacamole-credentials key: DB-Name - name: MYSQL_USER valueFrom: secretKeyRef: name: guacamole-credentials key: DB-User - name: MYSQL_PASSWORD valueFrom: secretKeyRef: name: guacamole-credentials key: DB-Password volumeMounts: - name: guac-mysql-data mountPath: /var/lib/mysql resources: requests: memory: 256Mi cpu: 100m limits: memory: 1Gi cpu: 500m livenessProbe: exec: command: - mysqladmin - ping - -h - localhost initialDelaySeconds: 60 periodSeconds: 10 readinessProbe: exec: command: - mysqladmin - ping - -h - localhost initialDelaySeconds: 30 periodSeconds: 5 volumeClaimTemplates: - metadata: name: guac-mysql-data spec: accessModes: [ReadWriteOnce] resources: requests: storage: 5Gi --- apiVersion: v1 kind: Service metadata: name: guac-mysql namespace: guacamole spec: selector: app: guac-mysql ports: - port: 3306 targetPort: 3306 name: mysql clusterIP: None --- # DB schema init Job # Generates the MySQL schema and pipes it into the database apiVersion: batch/v1 kind: Job metadata: name: guacamole-initdb namespace: guacamole annotations: argocd.argoproj.io/hook: PostSync argocd.argoproj.io/hook-delete-policy: BeforeHookCreation spec: ttlSecondsAfterFinished: 300 template: spec: restartPolicy: OnFailure initContainers: - name: wait-for-mysql image: mysql:8.0 command: - sh - -c - | until mysqladmin ping -h guac-mysql --silent; do echo "Waiting for MySQL..." sleep 5 done containers: - name: initdb image: guacamole/guacamole:latest command: - sh - -c - | # Generate schema SQL /opt/guacamole/bin/initdb.sh --mysql > /tmp/initdb.sql # Apply schema (ignore errors if tables already exist) mysql -h guac-mysql -u root -p"$MYSQL_ROOT_PASSWORD" "$MYSQL_DATABASE" < /tmp/initdb.sql || true env: - name: MYSQL_ROOT_PASSWORD valueFrom: secretKeyRef: name: guacamole-credentials key: DB-Root-Password - name: MYSQL_DATABASE valueFrom: secretKeyRef: name: guacamole-credentials key: DB-Name --- # guacd (Guacamole daemon) apiVersion: apps/v1 kind: Deployment metadata: name: guacd namespace: guacamole labels: app: guacd spec: replicas: 1 selector: matchLabels: app: guacd template: metadata: labels: app: guacd spec: serviceAccountName: guacd-exec containers: - name: guacd image: guacamole/guacd:latest ports: - containerPort: 4822 name: guacd env: - name: LOG_LEVEL value: debug resources: requests: memory: 128Mi cpu: 100m limits: memory: 512Mi cpu: 500m livenessProbe: tcpSocket: port: 4822 initialDelaySeconds: 15 periodSeconds: 10 - name: kubectl-proxy image: bitnami/kubectl:latest args: - proxy - "--port=8001" - "--address=127.0.0.1" - "--accept-hosts=.*" - "--accept-paths=.*" - "--disable-filter=true" - "--v=2" resources: requests: memory: 32Mi cpu: 10m limits: memory: 64Mi cpu: 50m --- apiVersion: v1 kind: Service metadata: name: guacd namespace: guacamole spec: selector: app: guacd ports: - port: 4822 targetPort: 4822 name: guacd --- # Guacamole Web Application apiVersion: apps/v1 kind: Deployment metadata: name: guacamole namespace: guacamole labels: app: guacamole spec: replicas: 1 selector: matchLabels: app: guacamole template: metadata: labels: app: guacamole spec: containers: - name: guacamole image: guacamole/guacamole:latest ports: - containerPort: 8080 name: http env: - name: GUACD_HOSTNAME value: guacd - name: GUACD_PORT value: "4822" - name: MYSQL_HOSTNAME value: guac-mysql - name: MYSQL_PORT value: "3306" - name: MYSQL_DATABASE valueFrom: secretKeyRef: name: guacamole-credentials key: DB-Name - name: MYSQL_USER valueFrom: secretKeyRef: name: guacamole-credentials key: DB-User - name: MYSQL_PASSWORD valueFrom: secretKeyRef: name: guacamole-credentials key: DB-Password resources: requests: memory: 256Mi cpu: 100m limits: memory: 1Gi cpu: 500m livenessProbe: httpGet: path: /guacamole/ port: 8080 initialDelaySeconds: 120 periodSeconds: 10 readinessProbe: httpGet: path: /guacamole/ port: 8080 initialDelaySeconds: 60 periodSeconds: 5 volumeMounts: - name: guac-properties mountPath: /etc/guacamole/guacamole.properties subPath: guacamole.properties - name: bluejay-branding mountPath: /etc/guacamole/extensions/bluejay-branding-1.0.0.jar subPath: bluejay-branding-1.0.0.jar volumes: - name: guac-properties configMap: name: guacamole-properties - name: bluejay-branding configMap: name: guacamole-branding --- apiVersion: v1 kind: Service metadata: name: guacamole namespace: guacamole spec: selector: app: guacamole ports: - port: 8080 targetPort: 8080 name: http --- # Traefik addPrefix middleware # External URL guac.iamworkin.lan/ gets prefix /guacamole added apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: guac-add-prefix namespace: guacamole spec: addPrefix: prefix: /guacamole --- # TLS Certificate via cert-manager apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: guacamole-tls namespace: guacamole spec: secretName: guacamole-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - guac.iamworkin.lan --- # Traefik IngressRoute apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: guacamole namespace: guacamole spec: entryPoints: - websecure routes: - match: Host(`guac.iamworkin.lan`) kind: Rule middlewares: - name: guac-add-prefix services: - name: guacamole port: 8080 tls: secretName: guacamole-tls --- # 1Password secret sync — creates guacamole-credentials K8s Secret # Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: name: guacamole-credentials namespace: guacamole spec: itemPath: vaults/IAmWorkin/items/Guacamole --- # Blue Jay Branding Extension (CSS + translations) apiVersion: v1 kind: ConfigMap metadata: name: guacamole-branding namespace: guacamole binaryData: bluejay-branding-1.0.0.jar: UEsDBBQAAAAIAPt6g1xRD4M2ewAAAMkAAAASAAAAZ3VhYy1tYW5pZmVzdC5qc29uq+ZSAAKl9NLE5MTc/JzUsNSi4sz8PCUrBSUtJR2IZF5ibipIwCmnNFXBK7FSwakoMS8lMy8dWUFxQWIyWFUSUFVWYiVMLrm4GCgaDeaABaDyuiUZqbmpeiBpsFwsVH0J0OzinMQSoCPQNCLL6Kfm6WUVA90J0ctVywUAUEsDBBQAAAAIABB8g1xT+vHpEBIAADhtAAARAAAAYmx1ZWpheS10aGVtZS5jc3PNPWtz4ji23/tX6PbUVCWz2IEQMmluza0iBNLcIZACMrNdW/tB2AJcMbbXFulOd03V/RH7C/eX3CPJTyy/iN0z3dMTsKQj6bx0XnIufnqHfkK35oGg/8Wv6A67z2i1I3uCNraLBg7WdgTdH7CG97ZJUEe9VttsxNi0PxN3aLsELcjepgQNNI14Hrp1saUb1hY6sX5D2wQ4j9gklJI+e4LQLdaet659sPQ+fEM/tAed68sb0bY8uBusEd7A2jqdzl23m2hDA5P2eRuMuvrZh2m7OnGDYdA26g56Y9HGVmbRqO3y9mYwTrShj/YLH/3D1d2gG7Td26YejoK28fi2226LthX5QuNto5vR3bgXtaGHAyX+/m5uPny49cd9JJhhx+uHMNkffz6XECsC+kP37vbmeiDaFiS+FDbfVe/Kn28OKN+SaH/j8c2Qr/Pi3buLn9Avdf1hs91P57eDKbpAt/O7T+xBbdD5cte2/oq+vWPbWMe4xGcR9F/G3rFdii3637yPxrirH2A/1byxLaps8N4wX/tIwY5jEsV79SjZt4DlDev5AWtL/n0MPVvo/ZJsbYKeJu9baGGvbWq33qHjP+8/EvOFUEPDaEYOBLoOXAObLeRhy1M84hqbxEL+qJ8I0/n9ZIaWw8VoNKufBrDa8cE0FQdvCTLtrWHFaMF66MaLyp8rB6MCsaI+irEH2P0Qty7IBDaVLfsJ0nhGTNNwPIIwRZftH1Gv/WMLuds1Prvqtjrdm9Zlr9dqq+2bc8RaKLC/52CXyfF1+8fzVhm4NwD3MoTLAHZ+/tBqM7C9NFhYwbmEqFOOHDaHvUUadjl2ItT4n/x2CaKEcksjytdlHecL8mzT0AN1ltFTYfs7gEq5gQHpLl8Ub4d1+3MftXmP7iX8j2+73UL+f2rvPM3qbf63E/QG5COGfcSwBUM656nJHKwz7dZHl2SfiS9Aho0ArzgPWyrvJXAGI38lxEE62eCDSWPHEe+0PlAE8yLvsKbwjBpAMIDMFYBhUobJtWtsd9SC8+msrX44B1GlBxdTAt9u0rvYY5etBOSf2nsgQ85e/NXuhFbP29Cu08reLBtPXOjj7zjQa+J0kOu1z4TtqQ8s30514KetqwD7apwcwNV5FCGuC4f0HtDDRD6xCcf/KLp8O9K67AzKkfO+L13dyxa6/iD+SfkmzfGygd2sgaEAXEkEIORJYHLAwTE1WRfd8BwTwxlh2RbhqAkRoIqNy9AQjlqbtvaciVywo/bAiMTUPcCcRbFhAallnOJ3+hZnQmo7+Rxo4jUxiR7MkANX9buK78lpyvC6GCZY1QMLgIOrMqPKfyg+syd5SdhIck73jK+Eke+mJ6FdQhZ6ElmgYI0pXJkzSvTRwXGIq2E4BkpIjWzGI5QBX+Ygjc2OwCIGNvS8z8CtyLCcA62CNj5Aojz83rz5H/TVIb+8Z7O9/2e5vsGC3v+zPoPr5JOrQHCvAcNA/yzyCwaRSbZ9oGDnESHZadZgXGFQwwar218Q3yDMdekhAjzSip2f0dMUoM+GTnewgjZYFdID2PjKd+JPAo+OGaYKL/Q3tnbwqnBElRERX4hRAXfE8NMPfKgCa4P97WaZD5cyi+oxkJIXwzPWhmnQV0Tt7dYkuQLDJDtQMsH6g+9iuBLKXym9E5eFuCFYlmoVFtTfMd/zaFkS9AoEjfYOoERAgtNHIztwUmG4R1/NLAtEykoq4ZA45eUklkhuXLOBubU3KLO+qG3lmnKiS5LLxGiprjoe5s8gUVIZTFhgPUmUVCY3V1JS7LA4NrNK6KhCa047uB7bkGODaQu0zlVjkadWVYkdH5QplSlj+DI0FhxemtIJgUjQWwRnssgUkD2zV1w1MVp2LrN0Uzelm07bONao8ULK71z0l7qKg+vxcFi0dUmvBsIPfgzo9mm1ms+W9Qcg5HpCoKj1Dqt/aYXwXaRZZqocUz1PEuOCFmG0AcHLWkcgGAm+j63krYIgQrUSQbhjoVIXBXIH7CY+qjpviJbgP5AtIcvvTS5B0guWkAB+TIDEY9nM4/H17fVt8eZTvVIzH2M8+Vw297Ddhb/Fc7PYc9Ma6ONocDdagA86G/w2uR+sJvMZuh0s6ldFasJZjeODuRXYjWKLnW5PJ9sWeE4jMJyuW4xTu4PrQStQJpnBi8CRvIzUj4R900cY638jCeVdpWfKUYB/RJvkIarg82X0WaUGC6y9PTQVmwuXA8dtEp1otouFRpQaJQFMqSmdqQpq4xTGdk9L4MeH0ewJnVHbUXi8Eemu7QCxrPMGGPPgAevsiXUoRuQfie4q+78SLM3/WpLCJSCxEBfIg/c94t2y8zcd7768ksa7T96YaaS4NyMcchTBkBn/mad9pyc/1istM/skEbnTTEWR6X8uHaIZG0NDfAUGhS0Zmn+SVlraP3Yu2fzy/oeLMP6Ug8yq+w6Be4RSlm69YKM97m6+DQ40W0Rj9KoDmkc8ryZQDjwgLrE04pXEqPDkbXD/WSq0MgF5hiaMHRTlBITgimh2rphXJbW/jExOL5mByLedAFVPsCbkuPbGAEXpCRYAp0/IQRXcqQGQbzIjoFgHxpTKjUSpVMFfuBR1wxK+Ft7XdcpXX4HtbrFlfOXHfAVhkAPApuLaqQPtpBxDE9br/GGEHgf3o0Zy9w8YuNLHD0+zekHO3iWs1kWJqbAWf66ZhrO2savfGS/iSaBVxDcMvBEblMgcyUNahYpnwZeC4lCDHGqQGZav2J+c24XYNLawANblyI/OmITn6HPQgTg2ou5/Usq+wKo4NWuRTvCHwb4ce6MUppLa94RMAQ/HXWdWGvTSCjsWqOQfTUzJpzMFnCJZXmEYEZUfdjwt95//+zfaHzyKKLAyocgiHiU68hwAh6htM0bB6s7ek9jWW+lHCuMOR9LAQalMrWaOincRIXl1jU0Mxzj4M1kTleyYgJ1qVDXs8EUW98Asgml4VOH2XtA/elLSHC7lzKX2EgVJpA0lcJwJId58AiGqZW5YmeQLQW5KKfnhzLO/n3M7QiJscZ0E7QyO4sMRk9ssZU1fmSTlaQu/W553kT+7v+OCNahp473SphJ4DcF2mj6Wh/PZbDTksaTpZLlCF+h+MX96FF/OqEsIejHI5wac+aSCEsLny55wrI5P4LSs/k8kreVPrVLZ/NNM0540Y89YocpeKvmvfoL0C8ixDn6aaWJW68e8U6Hp8TNBmkmwa76K9DIYiNCms5Ln9bY6nlUO+ltWoVk3XmaWPr9i4pLaxik4qmk1KSk7AScq4TSoHzXc7DQsxS+3uJTFf1j7zvdMpB1iZah+TpbZYJ1jQ+wtZEgiIFeDxeSeHaUsj4jojiB2uBaxZLm4SQ6AE8Qrvl7Nz/vnLZHjI2FcJDi1wEgMeGd3gLPBppxfdLI9jzNTRxLLY6ENhkAcP2EzVCk3Y4IepbwLiapr+GiazVeT8WTIEx0NJFxVy6YsqIebOD9OcIqu31LHnBKA+ObUeAFnccIujYhBe9xOB6wS+BPpEmWN05mI06p5K53D6eXE7lQUqIqjcQmZqBTBA/6fxWE5rr112e0ghhQmhcmZwmYJ62VdJkhyTFfCMUy3bUzGLztD14lVsN1wEWpEubyE34e2yPcJ1dUK0t/5/BefhvughREqCTa5x+5gF3wVykpxJQiNGtMbyatnywSjJoqTK/GRBErFSuBcmNL611K9yR4bZvnu1mG/Jm75/lEhZd4ItmQe8irP+9+rCLci2sMi0yrIrzYoIEG1UccVrWXI8V1rX7m2yqxUbq6CazxfPKDRdPQwmq0aruMKJFMqf3Ipy5KlREERqGRtx54GhGu984gJxt1fUJ6kLvLP+QWjhrUjrkErsMtx0Kd6tVhSnHOENk808wVQRsOgLSmCAT3/jGL0WH01P6yBqUUBfj9Weh1bcPzx0anW611f36RNu3zfcEe0Z9gE8dBZdOft4MF3Vu5NdKSFPc7DxflYDZrCZDDW/BBcUYZfiE+QcOPmRYZI+fc45TyIHQcIywKofYQP1D6eyodp1xi0akBTLker1WR2v0QXaHD3MJnxvF0TLliQcitnYYW9KV6bhBmVDnGpAZxBdxWynln3pgqmOL5EUbRIVfjhyhs8ihgwatum3ETPz85VcKDSk6kiFJG8L/EXOlsE649jdw3ZFY1gG8xD4F6DoKXfoxZWOY6XmGSTdiskc5fjobrFeTW4nY6W6GxLLOJis4FYPt9lqb2JnmWJkF0sKudhH7qeFLa0CPDjsNtuoR6chh968hiKDyyoTI6glooZ1oZgnqWZTsBaRb9NRr+jM1e8ekQn3jOoEeSXUzVAVRZDYXUSUborKfz8T4rtxQCFZY3Kj2IHv5iIl7/4PjKTYH9+VZTFvLkyuVKZ8ElqVLrg3WWF0t+C60gRrnTD86O6UTVbMP1xLVGyfiw2srCULb6pslAbr0y7g5MZOYS/dYcHvUz8is54UZRAH3HPE/hgpp0SDFD9a+xZCyy+GlX7200ms18bsLCOixQynIbiIoVjByvwrLJy6vKydPllGdxnmUlWhZLs/fPtYHAnI35tOBLGrkh/s+sVzOitnwi7TotdLUA74KrdFfwDntpdlyo8b8AUAEMgNJH4227gnEMWfjG2nPZNlO2zaRSYhgWh4Ad/yY6SqcprM2jDaXktz/HEx6KRYYIcl7OrssuueZKRuromFZlcaycveB3bZHjlNLVVqTCWKYAo8Jzjs6vhvc/U9FFTvL92cNmOpAP8tnLaq/SKU3a9pIq3bol7HMxGU+ZJD+ezFTPiBovRoBlf2i/VAyRbxBTpZ5pGYqbfKtxVQYIAijxbUZOpVDeq5zNFvB4M/Tr6dDsfLO4aQLPtPVfXWdzdL/ReOGz1mbzyumQFPpxwiaVun/s4yShdZ05NRcmdRioiDTz7euZbrj4XBwVr4xzfhXvkPCk0Qv2ceVzU/j0KuWU1C/l6JrXKv3YqsH5jc7mM1VoOwPT8bRQrwgTjDOt7oxErzA8UKLzKKvjWCJcUHjWShVQty8rYjupRTMOUSeGVnVwgakLxBJsSLyitCEkzbS/l32QWPtRG+KMK3wtxY3d0N1nNF40F9ffYYrYc9y1KmR7xAdkRniwjuNiJSk7ghUVwgckjvwcsvYxee9kSy7gRd28IdolSWzx2kVi3E3bzsxMnIDcNo0wktolc/NNgKG6OX6Dl5G50O1igsyF1zb8NTPq35c7YiEhgE3owdn+8ggnn+tW1b1V+seBZ1nt/JQtpgATjyXSEVovBbDkeNfESCRaLU4JY3J9xzCQXwL+Wu+wpGVyxWC8PwqmVduLcaTwQ+REsk/niE8jlYjScL1hIDD1OB58a4ZEdHJa2+5qoMXdZGLJEoixX25ZK8ORMf0KReG2o4XbicDGfTkErgkH4O1k/G/SCv7u7AX3Y78OBxmZQPM21zViWOXzBo8TKD24bpBr/kEJkgqBJHWe59EhB7A77dUkfU2Ld96T11ULXxLR6xfVkM4rcrZQBAoaz5DDki2E5b8MlGxsWHZIMSPmTDyKC7FOQ7gwrtff4/Il3H2bPWhvjCVdoGkTeJ/cfp/Bv1QRzi4obuadTJtdTfFYASff2V6X5iWq3AObDpyWaP62mkxmrD8D8l1n4byBtQtPwajYluIb2LVnTF5PBjLCO31WxNxuP+LZY00y6GqwAR5PZHbuIMl804C9F94vYNWx23Yfb/gkXtBV+14Ku4SPFsHRW1Gu7VfxVdmmQ3wpJzcgvi0QTbjDYMdLZSr4dXUz2O3YtlnlNTfdZNMgm8Jv+lFdbTR4e5wsWohn9nX9oylkWu1DIF/ajnEeXHCIS219Zvra6jc0kSMfejtTy6oaMDFqpVzdI3vlYeuNh3iurQ1IwStbRFqnvtuT9DN+5rms+n64mj8Ckj/PH+W+NWOisFJAa7PULju2c+F6t71Finvei2+zXBDZAlIfJcjiaTgez0fypmdPio+0aX9nvVDCRezBFqGiXcb0vM+g05hWJRLyTf+N/qQIjHGOSLbGO/bVMA2Zo6wQYlr24y3b3mLJDLygz16CtxZpOyAXkvqy1nrQXqzoyPBY10xHYente9xRWx+t+U/h61+iBX8sfPQhr54NHRW+T4Dv1X6Fr2azslP0mMl2yQvbru/yqd/7LzMIO8d9cET5ssZdU/OsAzkSagJJT9v8BUEsDBBQAAAAAAAAAIQAAAAAAAAAAAAAAAAANAAAAdHJhbnNsYXRpb25zL1BLAwQUAAAACAAUeYNc092dIJIAAADQAAAAFAAAAHRyYW5zbGF0aW9ucy9lbi5qc29uVY5BCoMwEEX3nmLIuifobqqxprSJJNptKDIUQRNQ21LEuzemFOrs5jH/zZ8TCMOwLNke5rhEIPHCA2GH7kFwur1BU+8nAmwaGkcWD5fdN3xWRyG38UxgoLbgmHG9ekx7dyAcTB7yzr9oSP1AW02h4ss/i5C5sphW4sptbbi2qaplteqwmdongQldWu9+fZIl+QBQSwECFAAUAAAACAD7eoNcUQ+DNnsAAADJAAAAEgAAAAAAAAAAAAAAtoEAAAAAZ3VhYy1tYW5pZmVzdC5qc29uUEsBAhQAFAAAAAgAEHyDXFP68ekQEgAAOG0AABEAAAAAAAAAAAAAALaBqwAAAGJsdWVqYXktdGhlbWUuY3NzUEsBAhQAFAAAAAAAAAAhAAAAAAAAAAAAAAAAAA0AAAAAAAAAAAAQAP9B6hIAAHRyYW5zbGF0aW9ucy9QSwECFAAUAAAACAAUeYNc092dIJIAAADQAAAAFAAAAAAAAAAAAAAAtoEVEwAAdHJhbnNsYXRpb25zL2VuLmpzb25QSwUGAAAAAAQABAD8AAAA2RMAAAAA --- # Guacamole custom properties apiVersion: v1 kind: ConfigMap metadata: name: guacamole-properties namespace: guacamole data: guacamole.properties: | # Blue Jay Remote Access — Guacamole Configuration # MySQL/guacd settings provided via env vars — do NOT duplicate here # Extension Priority extension-priority: mysql, ban, bluejay, * # Ban (brute force) ban-max-invalid-attempts: 5 ban-address-duration: 300000 ban-max-addresses: 1000 # TOTP totp-issuer: Blue Jay Remote Access totp-digits: 6 totp-period: 30 totp-mode: sha256 # Session api-session-timeout: 60 --- # guacd ServiceAccount for K8s exec apiVersion: v1 kind: ServiceAccount metadata: name: guacd-exec namespace: guacamole --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: guacd-pod-exec labels: app.kubernetes.io/component: proxy app.kubernetes.io/name: guacd rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods/exec", "pods/attach"] verbs: ["create", "get"] - apiGroups: [""] resources: ["namespaces"] verbs: ["list", "get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: guacd-pod-exec labels: app.kubernetes.io/component: proxy app.kubernetes.io/name: guacd roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: guacd-pod-exec subjects: - kind: ServiceAccount name: guacd-exec namespace: guacamole