Adjust default role mapping of the common serviceAccount chart

- make roles in serviceAccount chart configurable via role.read and role.create
- change declaration of roles to work in environments with more restrictive RBAC rules

Issue-ID: OOM-3323
Change-Id: I25ddd1a7cf26047b9098de03bbb8598dfd367133
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>

diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml
index b691c40..3e0e6c2 100644 (file)
--- a/kubernetes/common/serviceAccount/Chart.yaml
+++ b/kubernetes/common/serviceAccount/Chart.yaml
@@ -18,7 +18,7 @@
 apiVersion: v2
 description: Template used to create the right Service Accounts / Role / RoleBinding
 name: serviceAccount
-version: 13.0.1
+version: 13.0.2
 
 dependencies:
   - name: common

diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml
index d6d041f..9070885 100644 (file)
--- a/kubernetes/common/serviceAccount/templates/role.yaml
+++ b/kubernetes/common/serviceAccount/templates/role.yaml
@@ -47,95 +47,14 @@ metadata:
   namespace: {{ include "common.namespace" $dot }}
 rules:
 {{-     if eq $role_type "read" }}
-- apiGroups:
-  - "" # "" indicates the core API group
-  - apps
-  - batch
-  - extensions
-  resources:
-  - endpoints
-  - services
-  - nodes
-  - pods
-  - deployments
-  - deployments/status
-  - jobs
-  - jobs/status
-  - statefulsets
-  - replicasets
-  - replicasets/status
-  - daemonsets
-  verbs:
-  - get
-  - watch
-  - list
+{{- with $dot.Values.role.read }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{-     else  }}
 {{-       if eq $role_type "create" }}
-- apiGroups:
-  - "" # "" indicates the core API group
-  - apps
-  - batch
-  - extensions
-  resources:
-  - pods
-  - deployments
-  - deployments/status
-  - jobs
-  - jobs/status
-  - statefulsets
-  - replicasets
-  - replicasets/status
-  - daemonsets
-  - secrets
-  - services
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - "" # "" indicates the core API group
-  - apps
-  resources:
-  - statefulsets
-  - configmaps
-  verbs:
-  - patch
-- apiGroups:
-  - "" # "" indicates the core API group
-  - apps
-  resources:
-  - deployments
-  - secrets
-  - services
-  - pods
-  verbs:
-  - create
-- apiGroups:
-  - "" # "" indicates the core API group
-  - apps
-  resources:
-  - pods
-  - persistentvolumeclaims
-  - secrets
-  - deployments
-  - services
-  verbs:
-  - delete
-- apiGroups:
-  - "" # "" indicates the core API group
-  - apps
-  resources:
-  - pods/exec
-  verbs:
-  - create
-  - get
-- apiGroups:
-  - cert-manager.io
-  resources:
-  - certificates
-  verbs:
-  - create
-  - delete
+{{- with $dot.Values.role.create }}
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{-       else }}
 # if you don't match read or create, then you're not allowed to use API
 # except to see basic information about yourself

diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml
index 4c9f75f..5d20e45 100644 (file)
--- a/kubernetes/common/serviceAccount/values.yaml
+++ b/kubernetes/common/serviceAccount/values.yaml
@@ -22,8 +22,8 @@ global:
 # if "createDefaultRoles=false"
 roles:
   - nothing
-# - read
-# - create
+  # - read
+  # - create
 
 # Flag to enable the creation of default roles instead of using
 # common roles-wrapper
@@ -43,3 +43,116 @@ new_roles_definitions: {}
 #        - "get"
 #        - "watch"
 #        - "list"
+
+role:
+  read:
+    - apiGroups:
+      - "" # "" indicates the core API group
+      resources:
+      - services
+      - pods
+      - endpoints
+      verbs:
+      - get
+      - watch
+      - list
+    - apiGroups:
+      - batch
+      resources:
+      - jobs
+      verbs:
+      - get
+      - watch
+      - list
+    - apiGroups:
+      - batch
+      resources:
+      - jobs/status
+      verbs:
+      - get
+    - apiGroups:
+      - apps
+      resources:
+      - statefulsets
+      - replicasets
+      - deployments
+      - statefulsets
+      - daemonsets
+      verbs:
+      - get
+      - watch
+      - list
+    - apiGroups:
+      - apps
+      resources:
+      - replicasets/status
+      - deployments/status
+      - statefulsets/status
+      verbs:
+      - get
+  create:
+    - apiGroups:
+      - "" # "" indicates the core API group
+      - apps
+      - batchs
+      - extensions
+      resources:
+      - pods
+      - deployments
+      - deployments/status
+      - jobs
+      - jobs/status
+      - statefulsets
+      - replicasets
+      - replicasets/status
+      - daemonsets
+      - secrets
+      - services
+      verbs:
+      - get
+      - watch
+      - list
+    - apiGroups:
+      - "" # "" indicates the core API group
+      - apps
+      resources:
+      - statefulsets
+      - configmaps
+      verbs:
+      - patch
+    - apiGroups:
+      - "" # "" indicates the core API group
+      - apps
+      resources:
+      - deployments
+      - secrets
+      - services
+      - pods
+      verbs:
+      - create
+    - apiGroups:
+      - "" # "" indicates the core API group
+      - apps
+      resources:
+      - pods
+      - persistentvolumeclaims
+      - secrets
+      - deployments
+      - services
+      verbs:
+      - delete
+    - apiGroups:
+      - "" # "" indicates the core API group
+      - apps
+      resources:
+      - pods/exec
+      verbs:
+      - create
+      - get
+    - apiGroups:
+      - cert-manager.io
+      resources:
+      - certificates
+      verbs:
+      - create
+      - delete