diff options
| author |   Andreas Geissler <andreas-geissler@telekom.de> | 2023-07-27 19:07:08 +0200 |
|---|---|---|
| committer | Andreas Geissler <andreas-geissler@telekom.de> | 2023-08-04 08:45:18 +0200 |
| commit | d4f832dbaf2f190c5bed08aff3d56f9378a3d5f9 (patch) | |
| tree | 33179a9572f4d4ed9261bf290b947cfeb1ad50c1 /kubernetes/common/serviceAccount/templates/role.yaml | |
| parent | 7a34dfca27abc3a13f89ed8d6b87e4aa7be9613f (diff) | |
[COMMON][SA] Add default role creation to ServiceAccount
Adds an option "createDefaultRoles" to create roles instead
of using the roles-wrapper
Issue-ID: OOM-3233
Change-Id: I03eb95b641034637fa218010025b2c452aba09d1
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>
Diffstat (limited to 'kubernetes/common/serviceAccount/templates/role.yaml')
| -rw-r--r-- | kubernetes/common/serviceAccount/templates/role.yaml | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 2055885f2a..1b686f521c 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -37,5 +38,111 @@ rules: verbs: - create {{- end }} +{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - deployments/status + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + - services + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + - configmaps + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + - services + - pods + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployments + - services + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} {{- end }} {{- end }} |