aboutsummaryrefslogtreecommitdiffstats
path: root/kubernetes/common/serviceAccount/templates/role.yaml
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-04-19 15:26:15 +0200
committerKrzysztof Opasiak <k.opasiak@samsung.com>2021-05-11 17:42:54 +0000
commit6f4e8c05f173a957c61acd0741541f52a552e12c (patch)
treeec8dad1ecaf4b5e460046ef04bda975907198c0e /kubernetes/common/serviceAccount/templates/role.yaml
parentf2c596ce55a2fa00280052d2924d69ffdccbcb71 (diff)
[COMMON][ROLES] Create default roles once
Instead of creating all roles every time with service account chart, let's just create the specific ones for a chart and point to default one for the three default roles. In order to lighten serviceAccount chart, whole logic for default role creation is in `roles-wrapper`. Issue-ID: OOM-2729 Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com> Change-Id: Ib4d6a2669ca7d747320a4bccb65aac863eb60956
Diffstat (limited to 'kubernetes/common/serviceAccount/templates/role.yaml')
-rw-r--r--kubernetes/common/serviceAccount/templates/role.yaml90
1 files changed, 11 insertions, 79 deletions
diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index 6d12164938..2055885f2a 100644
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -14,96 +14,28 @@
# limitations under the License.
*/}}
-{{- $dot := . -}}
+{{- $dot := . -}}
{{- range $role_type := $dot.Values.roles }}
+{{/* Default roles are already created, just creating specific ones */}}
+{{- if not (has $role_type $dot.Values.defaultRoles) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
namespace: {{ include "common.namespace" $dot }}
rules:
-{{- if eq $role_type "read" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - pods
- - deployments
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- verbs:
- - get
- - watch
- - list
-{{- else }}
-{{- if eq $role_type "create" }}
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- - batch
- - extensions
- resources:
- - pods
- - deployments
- - jobs
- - jobs/status
- - statefulsets
- - replicasets
- - replicasets/status
- - daemonsets
- - secrets
- verbs:
- - get
- - watch
- - list
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - statefulsets
- verbs:
- - patch
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - deployments
- - secrets
- verbs:
- - create
-- apiGroups:
- - "" # "" indicates the core API group
- - apps
- resources:
- - pods
- - persistentvolumeclaims
- - secrets
- - deployment
- verbs:
- - delete
+{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
+{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
+{{- else}}
+# if no rules are provided, you're back to 'nothing' role
- apiGroups:
- - "" # "" indicates the core API group
- - apps
+ - authorization.k8s.io
resources:
- - pods/exec
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
verbs:
- create
-{{- else }}
-{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
-{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
-{{- else}}
-# if you don't match read or create, then you're not allowed to use API
-- apiGroups: []
- resources: []
- verbs: []
{{- end }}
{{- end }}
{{- end }}
-{{- end }}