summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPramod <pramod.raghavendra.jayathirth@intel.com>2019-08-28 22:47:54 -0700
committerPramod <pramod.raghavendra.jayathirth@intel.com>2019-10-01 10:20:39 -0700
commit7b55292fe1017fc45329ca2d3a9b26395ca0e7ce (patch)
treecbe7146a62aa1d2da8febfcc8b48af97a9299347
parent1b8bee840af30f67fcdc0d45ef9334f0461ca1c7 (diff)
Adding Istio rbac roles for multicloud-k8s
This is used to grant role based access to user Issue-ID: MULTICLOUD-790 Signed-off-by: Pramod <pramod.raghavendra.jayathirth@intel.com> Change-Id: Icf064af7943b337f2cb83c3b4fa29bfb54f5b999
-rw-r--r--deployments/helm/servicemesh/rbac/.helmignore22
-rw-r--r--deployments/helm/servicemesh/rbac/Chart.yaml18
-rw-r--r--deployments/helm/servicemesh/rbac/templates/_helpers.tpl69
-rw-r--r--deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml23
-rw-r--r--deployments/helm/servicemesh/rbac/templates/servicerole.yaml24
-rw-r--r--deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml26
-rw-r--r--deployments/helm/servicemesh/rbac/values.yaml26
7 files changed, 208 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/rbac/.helmignore b/deployments/helm/servicemesh/rbac/.helmignore
new file mode 100644
index 00000000..50af0317
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/.helmignore
@@ -0,0 +1,22 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deployments/helm/servicemesh/rbac/Chart.yaml b/deployments/helm/servicemesh/rbac/Chart.yaml
new file mode 100644
index 00000000..8b3bfdc1
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/Chart.yaml
@@ -0,0 +1,18 @@
+# Copyright @ 2019 Intel Corporation
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# # http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+apiVersion: v1
+appVersion: "1.0"
+description: A Helm chart for Istio Rbac Rules
+name: rbac
+version: 0.1.0
diff --git a/deployments/helm/servicemesh/rbac/templates/_helpers.tpl b/deployments/helm/servicemesh/rbac/templates/_helpers.tpl
new file mode 100644
index 00000000..866dd71e
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/_helpers.tpl
@@ -0,0 +1,69 @@
+# Copyright @ 2019 Intel Corporation
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# # http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "rbacname" -}}
+ {{ default "default" .Values.rbacName }}
+{{- end -}}
+
+{{- define "servicerolename" -}}
+ {{ default "default" .Values.serviceRoleRule.name }}
+{{- end -}}
+
+{{- define "servicerolebindingname" -}}
+ {{ default "default" .Values.serviceRoleBinding.name }}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "labels" -}}
+app.kubernetes.io/name: {{ include "name" . }}
+helm.sh/chart: {{ include "chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
diff --git a/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml b/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml
new file mode 100644
index 00000000..486993a3
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml
@@ -0,0 +1,23 @@
+#{{/*
+# Copyright @ 2019 Intel Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# imitations under the License.
+#*/}}
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ClusterRbacConfig
+metadata:
+ name: {{ template "rbacname" . }}
+spec:
+ mode: 'ON_WITH_INCLUSION'
+ inclusion:
+ namespaces: [{{ .Values.namespace | quote }}]
+ enforcement_mode: {{ .Values.policyEnforcementMode }}
diff --git a/deployments/helm/servicemesh/rbac/templates/servicerole.yaml b/deployments/helm/servicemesh/rbac/templates/servicerole.yaml
new file mode 100644
index 00000000..d2791379
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/servicerole.yaml
@@ -0,0 +1,24 @@
+#{{/*
+# Copyright @ 2019 Intel Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# imitations under the License.
+#*/}}
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRole
+metadata:
+ name: {{ template "servicerolename" . }}
+ namespace: {{ .Values.namespace }}
+spec:
+ rules:
+ - services: [{{ .Values.serviceRoleRule.services | quote }}]
+ paths: [{{ .Values.serviceRoleRule.paths | quote }}]
+ methods: {{ .Values.serviceRoleRule.methods| toJson }}
diff --git a/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml b/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml
new file mode 100644
index 00000000..c17adf7e
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml
@@ -0,0 +1,26 @@
+#{{/*
+# Copyright @ 2019 Intel Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# imitations under the License.
+#*/}}
+apiVersion: "rbac.istio.io/v1alpha1"
+kind: ServiceRoleBinding
+metadata:
+ name: {{ template "servicerolebindingname" . }}
+ namespace: {{ .Values.namespace }}
+spec:
+ subjects:
+ - user: {{ .Values.serviceRoleBinding.users | quote }}
+ roleRef:
+ kind: ServiceRole
+ name: {{ .Values.serviceRoleBinding.serviceRoleName | quote }}
+ mode: {{ .Values.policyEnforcementMode }}
diff --git a/deployments/helm/servicemesh/rbac/values.yaml b/deployments/helm/servicemesh/rbac/values.yaml
new file mode 100644
index 00000000..45208ffa
--- /dev/null
+++ b/deployments/helm/servicemesh/rbac/values.yaml
@@ -0,0 +1,26 @@
+# Copyright @ 2019 Intel Corporation
+# #
+# # Licensed under the Apache License, Version 2.0 (the "License");
+# # you may not use this file except in compliance with the License.
+# # You may obtain a copy of the License at
+# #
+# # http://www.apache.org/licenses/LICENSE-2.0
+# #
+# # Unless required by applicable law or agreed to in writing, software
+# # distributed under the License is distributed on an "AS IS" BASIS,
+# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# # See the License for the specific language governing permissions and
+# # limitations under the License.
+
+namespace: multicloud
+policyEnforcementMode: PERMISSIVE
+rbacName: ""
+serviceRoleRule:
+ name: ""
+ service: multicloud-k8s.multicloud.svc.cluster.local
+ paths: "*"
+ methods: [ "GET","HEAD"]
+serviceRoleBinding:
+ name: ""
+ users: "*"
+ serviceRoleName: ""