X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcommon%2FserviceAccount%2Ftemplates%2Frole.yaml;h=1b686f521caadf2748aad2e90fc2954c0f571ad7;hb=d4f832dbaf2f190c5bed08aff3d56f9378a3d5f9;hp=2055885f2a597305403c1c3e67ee69fa60d43f98;hpb=7a34dfca27abc3a13f89ed8d6b87e4aa7be9613f;p=oom.git

diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index 2055885f2a..1b686f521c 100644
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -1,5 +1,6 @@
 {{/*
 # Copyright Â© 2020 Orange
+# Modifications Copyright Â© 2023 Deutsche Telekom AG
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -37,5 +38,111 @@ rules:
   verbs:
   - create
 {{-     end }}
+{{-   else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+  namespace: {{ include "common.namespace" $dot }}
+rules:
+{{-     if eq $role_type "read" }}
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  - batch
+  - extensions
+  resources:
+  - pods
+  - deployments
+  - deployments/status
+  - jobs
+  - jobs/status
+  - statefulsets
+  - replicasets
+  - replicasets/status
+  - daemonsets
+  verbs:
+  - get
+  - watch
+  - list
+{{-     else  }}
+{{-       if eq $role_type "create" }}
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  - batch
+  - extensions
+  resources:
+  - pods
+  - deployments
+  - deployments/status
+  - jobs
+  - jobs/status
+  - statefulsets
+  - replicasets
+  - replicasets/status
+  - daemonsets
+  - secrets
+  - services
+  verbs:
+  - get
+  - watch
+  - list
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - statefulsets
+  - configmaps
+  verbs:
+  - patch
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - deployments
+  - secrets
+  - services
+  - pods
+  verbs:
+  - create
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - pods
+  - persistentvolumeclaims
+  - secrets
+  - deployments
+  - services
+  verbs:
+  - delete
+- apiGroups:
+  - "" # "" indicates the core API group
+  - apps
+  resources:
+  - pods/exec
+  verbs:
+  - create
+- apiGroups:
+  - cert-manager.io
+  resources:
+  - certificates
+  verbs:
+  - create
+  - delete
+{{-       else }}
+# if you don't match read or create, then you're not allowed to use API
+# except to see basic information about yourself
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - selfsubjectaccessreviews
+  - selfsubjectrulesreviews
+  verbs:
+  - create
+{{-       end }}
+{{-     end }}
 {{-   end }}
 {{- end }}