{{/*
# Copyright © 2020 Orange
+# Modifications Copyright © 2023 Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# limitations under the License.
*/}}
-{{- $dot := . -}}
+{{- $dot := . -}}
{{- range $role_type := $dot.Values.roles }}
+{{/* Default roles are already created, just creating specific ones */}}
+{{- if not (has $role_type $dot.Values.defaultRoles) }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}}
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
namespace: {{ include "common.namespace" $dot }}
rules:
-{{- if eq $role_type "read" }}
+{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
+{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
+{{- else}}
+# if no rules are provided, you're back to 'nothing' role
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
+ verbs:
+ - create
+{{- end }}
+{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+ namespace: {{ include "common.namespace" $dot }}
+rules:
+{{- if eq $role_type "read" }}
- apiGroups:
- "" # "" indicates the core API group
- apps
- batch
+ - extensions
resources:
+ - endpoints
+ - services
+ - nodes
- pods
- deployments
+ - deployments/status
- jobs
- jobs/status
- statefulsets
- replicasets
+ - replicasets/status
- daemonsets
verbs:
- get
- watch
- list
-{{- else }}
-{{- if eq $role_type "create" }}
+{{- else }}
+{{- if eq $role_type "create" }}
- apiGroups:
- "" # "" indicates the core API group
- apps
- batch
+ - extensions
resources:
- pods
- deployments
+ - deployments/status
- jobs
- jobs/status
- statefulsets
- replicasets
+ - replicasets/status
- daemonsets
- secrets
+ - services
verbs:
- get
- watch
- apps
resources:
- statefulsets
+ - configmaps
verbs:
- patch
- apiGroups:
resources:
- deployments
- secrets
+ - services
+ - pods
verbs:
- create
- apiGroups:
- pods
- persistentvolumeclaims
- secrets
- - deployment
+ - deployments
+ - services
verbs:
- delete
- apiGroups:
- pods/exec
verbs:
- create
-{{- else }}
-{{- if hasKey $dot.Values.new_roles_definitions $role_type }}
-{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }}
-{{- else}}
+- apiGroups:
+ - cert-manager.io
+ resources:
+ - certificates
+ verbs:
+ - create
+ - delete
+{{- else }}
# if you don't match read or create, then you're not allowed to use API
-- apiGroups: []
- resources: []
- verbs: []
+# except to see basic information about yourself
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
+ verbs:
+ - create
+{{- end }}
{{- end }}
{{- end }}
{{- end }}
-{{- end }}
Code Review / oom.git / blobdiff