From 6f4e8c05f173a957c61acd0741541f52a552e12c Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Mon, 19 Apr 2021 15:26:15 +0200 Subject: [COMMON][ROLES] Create default roles once Instead of creating all roles every time with service account chart, let's just create the specific ones for a chart and point to default one for the three default roles. In order to lighten serviceAccount chart, whole logic for default role creation is in `roles-wrapper`. Issue-ID: OOM-2729 Signed-off-by: Sylvain Desbureaux Change-Id: Ib4d6a2669ca7d747320a4bccb65aac863eb60956 --- kubernetes/common/roles-wrapper/Chart.yaml | 18 ++++ kubernetes/common/roles-wrapper/requirements.yaml | 18 ++++ .../common/roles-wrapper/templates/role.yaml | 110 +++++++++++++++++++++ kubernetes/common/roles-wrapper/values.yaml | 18 ++++ 4 files changed, 164 insertions(+) create mode 100644 kubernetes/common/roles-wrapper/Chart.yaml create mode 100644 kubernetes/common/roles-wrapper/requirements.yaml create mode 100644 kubernetes/common/roles-wrapper/templates/role.yaml create mode 100644 kubernetes/common/roles-wrapper/values.yaml (limited to 'kubernetes/common/roles-wrapper') diff --git a/kubernetes/common/roles-wrapper/Chart.yaml b/kubernetes/common/roles-wrapper/Chart.yaml new file mode 100644 index 0000000000..862773fc87 --- /dev/null +++ b/kubernetes/common/roles-wrapper/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Wrapper chart to allow default roles to be shared among onap instances +name: roles-wrapper +version: 8.0.0 diff --git a/kubernetes/common/roles-wrapper/requirements.yaml b/kubernetes/common/roles-wrapper/requirements.yaml new file mode 100644 index 0000000000..b2d51ef925 --- /dev/null +++ b/kubernetes/common/roles-wrapper/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~8.x-0 + repository: 'file://../common' diff --git a/kubernetes/common/roles-wrapper/templates/role.yaml b/kubernetes/common/roles-wrapper/templates/role.yaml new file mode 100644 index 0000000000..e2a84b4151 --- /dev/null +++ b/kubernetes/common/roles-wrapper/templates/role.yaml @@ -0,0 +1,110 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + - extensions + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - replicasets/status + - daemonsets + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployment + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/roles-wrapper/values.yaml b/kubernetes/common/roles-wrapper/values.yaml new file mode 100644 index 0000000000..8a53d7d733 --- /dev/null +++ b/kubernetes/common/roles-wrapper/values.yaml @@ -0,0 +1,18 @@ +# Copyright © 2021 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +roles: + - nothing + - read + - create -- cgit 1.2.3-korg