X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcommon%2FserviceAccount%2Ftemplates%2Frole.yaml;h=83cb945ba98ce2cffe7dc9fffd2060026e9245e3;hb=refs%2Fheads%2Fmaster;hp=6d121649383d011cd282ac124731e064790f573e;hpb=4087a68998ae17961d8252ae0a60eb73604c74c7;p=oom.git diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 6d12164938..83cb945ba9 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,24 +15,50 @@ # limitations under the License. */}} -{{- $dot := . -}} +{{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* Default roles are already created, just creating specific ones */}} +{{- if not (has $role_type $dot.Values.defaultRoles) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} rules: -{{- if eq $role_type "read" }} +{{- if hasKey $dot.Values.new_roles_definitions $role_type }} +{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} +{{- else}} +# if no rules are provided, you're back to 'nothing' role +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} +{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} - apiGroups: - "" # "" indicates the core API group - apps - batch - extensions resources: + - endpoints + - services + - nodes - pods - deployments + - deployments/status - jobs - jobs/status - statefulsets @@ -42,8 +69,8 @@ rules: - get - watch - list -{{- else }} -{{- if eq $role_type "create" }} +{{- else }} +{{- if eq $role_type "create" }} - apiGroups: - "" # "" indicates the core API group - apps @@ -52,6 +79,7 @@ rules: resources: - pods - deployments + - deployments/status - jobs - jobs/status - statefulsets @@ -59,6 +87,7 @@ rules: - replicasets/status - daemonsets - secrets + - services verbs: - get - watch @@ -68,6 +97,7 @@ rules: - apps resources: - statefulsets + - configmaps verbs: - patch - apiGroups: @@ -76,6 +106,8 @@ rules: resources: - deployments - secrets + - services + - pods verbs: - create - apiGroups: @@ -85,7 +117,8 @@ rules: - pods - persistentvolumeclaims - secrets - - deployment + - deployments + - services verbs: - delete - apiGroups: @@ -95,15 +128,24 @@ rules: - pods/exec verbs: - create -{{- else }} -{{- if hasKey $dot.Values.new_roles_definitions $role_type }} -{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} -{{- else}} +- apiGroups: + - cert-manager.io + resources: + - certificates + verbs: + - create + - delete +{{- else }} # if you don't match read or create, then you're not allowed to use API -- apiGroups: [] - resources: [] - verbs: [] +# except to see basic information about yourself +- apiGroups: + - authorization.k8s.io + resources: + - selfsubjectaccessreviews + - selfsubjectrulesreviews + verbs: + - create +{{- end }} {{- end }} {{- end }} {{- end }} -{{- end }}