From 7b55292fe1017fc45329ca2d3a9b26395ca0e7ce Mon Sep 17 00:00:00 2001 From: Pramod Date: Wed, 28 Aug 2019 22:47:54 -0700 Subject: Adding Istio rbac roles for multicloud-k8s This is used to grant role based access to user Issue-ID: MULTICLOUD-790 Signed-off-by: Pramod Change-Id: Icf064af7943b337f2cb83c3b4fa29bfb54f5b999 --- deployments/helm/servicemesh/rbac/.helmignore | 22 +++++++ deployments/helm/servicemesh/rbac/Chart.yaml | 18 ++++++ .../helm/servicemesh/rbac/templates/_helpers.tpl | 69 ++++++++++++++++++++++ .../servicemesh/rbac/templates/rbacenablement.yaml | 23 ++++++++ .../servicemesh/rbac/templates/servicerole.yaml | 24 ++++++++ .../rbac/templates/servicerolebinding.yaml | 26 ++++++++ deployments/helm/servicemesh/rbac/values.yaml | 26 ++++++++ 7 files changed, 208 insertions(+) create mode 100644 deployments/helm/servicemesh/rbac/.helmignore create mode 100644 deployments/helm/servicemesh/rbac/Chart.yaml create mode 100644 deployments/helm/servicemesh/rbac/templates/_helpers.tpl create mode 100644 deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml create mode 100644 deployments/helm/servicemesh/rbac/templates/servicerole.yaml create mode 100644 deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml create mode 100644 deployments/helm/servicemesh/rbac/values.yaml diff --git a/deployments/helm/servicemesh/rbac/.helmignore b/deployments/helm/servicemesh/rbac/.helmignore new file mode 100644 index 00000000..50af0317 --- /dev/null +++ b/deployments/helm/servicemesh/rbac/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/deployments/helm/servicemesh/rbac/Chart.yaml b/deployments/helm/servicemesh/rbac/Chart.yaml new file mode 100644 index 00000000..8b3bfdc1 --- /dev/null +++ b/deployments/helm/servicemesh/rbac/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright @ 2019 Intel Corporation +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +apiVersion: v1 +appVersion: "1.0" +description: A Helm chart for Istio Rbac Rules +name: rbac +version: 0.1.0 diff --git a/deployments/helm/servicemesh/rbac/templates/_helpers.tpl b/deployments/helm/servicemesh/rbac/templates/_helpers.tpl new file mode 100644 index 00000000..866dd71e --- /dev/null +++ b/deployments/helm/servicemesh/rbac/templates/_helpers.tpl @@ -0,0 +1,69 @@ +# Copyright @ 2019 Intel Corporation +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. +{{/* +Expand the name of the chart. +*/}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "rbacname" -}} + {{ default "default" .Values.rbacName }} +{{- end -}} + +{{- define "servicerolename" -}} + {{ default "default" .Values.serviceRoleRule.name }} +{{- end -}} + +{{- define "servicerolebindingname" -}} + {{ default "default" .Values.serviceRoleBinding.name }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "labels" -}} +app.kubernetes.io/name: {{ include "name" . }} +helm.sh/chart: {{ include "chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} diff --git a/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml b/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml new file mode 100644 index 00000000..486993a3 --- /dev/null +++ b/deployments/helm/servicemesh/rbac/templates/rbacenablement.yaml @@ -0,0 +1,23 @@ +#{{/* +# Copyright @ 2019 Intel Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# imitations under the License. +#*/}} +apiVersion: "rbac.istio.io/v1alpha1" +kind: ClusterRbacConfig +metadata: + name: {{ template "rbacname" . }} +spec: + mode: 'ON_WITH_INCLUSION' + inclusion: + namespaces: [{{ .Values.namespace | quote }}] + enforcement_mode: {{ .Values.policyEnforcementMode }} diff --git a/deployments/helm/servicemesh/rbac/templates/servicerole.yaml b/deployments/helm/servicemesh/rbac/templates/servicerole.yaml new file mode 100644 index 00000000..d2791379 --- /dev/null +++ b/deployments/helm/servicemesh/rbac/templates/servicerole.yaml @@ -0,0 +1,24 @@ +#{{/* +# Copyright @ 2019 Intel Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# imitations under the License. +#*/}} +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRole +metadata: + name: {{ template "servicerolename" . }} + namespace: {{ .Values.namespace }} +spec: + rules: + - services: [{{ .Values.serviceRoleRule.services | quote }}] + paths: [{{ .Values.serviceRoleRule.paths | quote }}] + methods: {{ .Values.serviceRoleRule.methods| toJson }} diff --git a/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml b/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml new file mode 100644 index 00000000..c17adf7e --- /dev/null +++ b/deployments/helm/servicemesh/rbac/templates/servicerolebinding.yaml @@ -0,0 +1,26 @@ +#{{/* +# Copyright @ 2019 Intel Corporation +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# imitations under the License. +#*/}} +apiVersion: "rbac.istio.io/v1alpha1" +kind: ServiceRoleBinding +metadata: + name: {{ template "servicerolebindingname" . }} + namespace: {{ .Values.namespace }} +spec: + subjects: + - user: {{ .Values.serviceRoleBinding.users | quote }} + roleRef: + kind: ServiceRole + name: {{ .Values.serviceRoleBinding.serviceRoleName | quote }} + mode: {{ .Values.policyEnforcementMode }} diff --git a/deployments/helm/servicemesh/rbac/values.yaml b/deployments/helm/servicemesh/rbac/values.yaml new file mode 100644 index 00000000..45208ffa --- /dev/null +++ b/deployments/helm/servicemesh/rbac/values.yaml @@ -0,0 +1,26 @@ +# Copyright @ 2019 Intel Corporation +# # +# # Licensed under the Apache License, Version 2.0 (the "License"); +# # you may not use this file except in compliance with the License. +# # You may obtain a copy of the License at +# # +# # http://www.apache.org/licenses/LICENSE-2.0 +# # +# # Unless required by applicable law or agreed to in writing, software +# # distributed under the License is distributed on an "AS IS" BASIS, +# # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# # See the License for the specific language governing permissions and +# # limitations under the License. + +namespace: multicloud +policyEnforcementMode: PERMISSIVE +rbacName: "" +serviceRoleRule: + name: "" + service: multicloud-k8s.multicloud.svc.cluster.local + paths: "*" + methods: [ "GET","HEAD"] +serviceRoleBinding: + name: "" + users: "*" + serviceRoleName: "" -- cgit 1.2.3-korg