diff options
author | Kiran Kamineni <kiran.k.kamineni@intel.com> | 2019-12-03 20:14:16 +0000 |
---|---|---|
committer | Gerrit Code Review <gerrit@onap.org> | 2019-12-03 20:14:16 +0000 |
commit | 85bbacc1afb2d7160128bee00e194ae5834a8296 (patch) | |
tree | da37a757e60b2b3d5e83779bb36e4f3d70e20f78 /deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml | |
parent | d857dba045010a6d3f69845efbb40eaa6b927685 (diff) | |
parent | ccbd9d767ad08455382e2cec91e0bfc4ed7ea942 (diff) |
Merge "Upgrade istio-operator"
Diffstat (limited to 'deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml')
-rw-r--r-- | deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml b/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml new file mode 100644 index 00000000..b6e5eac6 --- /dev/null +++ b/deployments/helm/servicemesh/istio-operator/templates/operator-psp-basic.yaml @@ -0,0 +1,97 @@ +{{- if and .Values.rbac.enabled .Values.rbac.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "istio-operator.fullname" . }}-basic + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +spec: + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - secret + - configMap + - emptyDir +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: psp:{{ include "istio-operator.fullname" . }}-basic + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +rules: +- apiGroups: + - policy + resourceNames: + - {{ include "istio-operator.fullname" . }}-basic + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: psp:{{ include "istio-operator.fullname" . }}-basic + labels: + app.kubernetes.io/name: {{ include "istio-operator.name" . }} + helm.sh/chart: {{ include "istio-operator.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: psp:{{ include "istio-operator.fullname" . }}-basic +subjects: + - kind: ServiceAccount + name: istio-citadel-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-galley-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-egressgateway-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-ingressgateway-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-mixer-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-operator-authproxy + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-pilot-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-sidecar-injector-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istiocoredns-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-nodeagent-service-account + namespace: {{ .Release.Namespace }} + - kind: ServiceAccount + name: istio-operator-operator + namespace: {{ .Release.Namespace }} +{{- end }} |