X-Git-Url: https://gerrit.onap.org/r/gitweb?a=blobdiff_plain;f=kubernetes%2Fcommon%2FserviceAccount%2Ftemplates%2Frole.yaml;h=83cb945ba98ce2cffe7dc9fffd2060026e9245e3;hb=refs%2Fheads%2Fmaster;hp=6d121649383d011cd282ac124731e064790f573e;hpb=4087a68998ae17961d8252ae0a60eb73604c74c7;p=oom.git diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml index 6d12164938..90708854ff 100644 --- a/kubernetes/common/serviceAccount/templates/role.yaml +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -1,5 +1,6 @@ {{/* # Copyright © 2020 Orange +# Modifications Copyright © 2023 Deutsche Telekom AG # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -14,96 +15,57 @@ # limitations under the License. */}} -{{- $dot := . -}} +{{- $dot := . -}} {{- range $role_type := $dot.Values.roles }} +{{/* Default roles are already created, just creating specific ones */}} +{{- if not (has $role_type $dot.Values.defaultRoles) }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} namespace: {{ include "common.namespace" $dot }} rules: -{{- if eq $role_type "read" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - verbs: - - get - - watch - - list -{{- else }} -{{- if eq $role_type "create" }} -- apiGroups: - - "" # "" indicates the core API group - - apps - - batch - - extensions - resources: - - pods - - deployments - - jobs - - jobs/status - - statefulsets - - replicasets - - replicasets/status - - daemonsets - - secrets - verbs: - - get - - watch - - list -- apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - statefulsets - verbs: - - patch +{{- if hasKey $dot.Values.new_roles_definitions $role_type }} +{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} +{{- else}} +# if no rules are provided, you're back to 'nothing' role - apiGroups: - - "" # "" indicates the core API group - - apps + - authorization.k8s.io resources: - - deployments - - secrets + - selfsubjectaccessreviews + - selfsubjectrulesreviews verbs: - create +{{- end }} +{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +{{- with $dot.Values.role.read }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- else }} +{{- if eq $role_type "create" }} +{{- with $dot.Values.role.create }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- else }} +# if you don't match read or create, then you're not allowed to use API +# except to see basic information about yourself - apiGroups: - - "" # "" indicates the core API group - - apps - resources: - - pods - - persistentvolumeclaims - - secrets - - deployment - verbs: - - delete -- apiGroups: - - "" # "" indicates the core API group - - apps + - authorization.k8s.io resources: - - pods/exec + - selfsubjectaccessreviews + - selfsubjectrulesreviews verbs: - create -{{- else }} -{{- if hasKey $dot.Values.new_roles_definitions $role_type }} -{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} -{{- else}} -# if you don't match read or create, then you're not allowed to use API -- apiGroups: [] - resources: [] - verbs: [] +{{- end }} {{- end }} {{- end }} {{- end }} -{{- end }}