diff options
| author |   Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2020-05-19 17:46:54 +0200 |
|---|---|---|
| committer |   Krzysztof Opasiak <k.opasiak@samsung.com> | 2020-06-26 15:24:04 +0000 |
| commit | 4534881264e8a125c7eed68992fe4ef32b204caf (patch) | |
| tree | e54eb051150058e4d2bc3dc62b0aac7dc702cef4 /kubernetes/common/serviceAccount/templates | |
| parent | d610a48073273ba043d54647b73b4754a7b8441e (diff) | |
[COMMON] Templates for services accounts and roles
Create a common chart that will create the relevant service accounts /
roles and role binding for ONAP components.
Issue-ID: OOM-1971
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I687ef6debe679b5f7f250d75d93ee4da84d97104
Diffstat (limited to 'kubernetes/common/serviceAccount/templates')
3 files changed, 162 insertions, 0 deletions
diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml new file mode 100644 index 0000000000..2082f8466b --- /dev/null +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -0,0 +1,33 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. +kind: RoleBinding +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + namespace: {{ include "common.namespace" $dot }} +subjects: +- kind: ServiceAccount + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} +roleRef: + kind: Role + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml new file mode 100644 index 0000000000..73f45b5fce --- /dev/null +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -0,0 +1,105 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - daemonsets + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployment + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +{{- else }} +{{- if hasKey $dot.Values.new_roles_definitions $role_type }} +{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} +{{- else}} +# if you don't match read or create, then you're not allowed to use API +- apiGroups: [] + resources: [] + verbs: [] +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml new file mode 100644 index 0000000000..449bea684c --- /dev/null +++ b/kubernetes/common/serviceAccount/templates/service-account.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} +{{- end }} |