# Copyright © 2017 Amdocs, Bell Canada
# Modifications Copyright © 2021 Orange
# Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2023 Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
apiVersion: v2
description: Template used to create the right Service Accounts / Role / RoleBinding
name: serviceAccount
-version: 13.0.0
+version: 13.0.1
dependencies:
- name: common
{{/*
# Copyright © 2020 Orange
+# Modifications Copyright © 2023 Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
{{- range $role_type := $dot.Values.roles }}
{{/* retrieve the names for generic roles */}}
{{ $name := printf "%s-%s" (include "common.release" $dot) $role_type }}
-{{- if not (has $role_type $dot.Values.defaultRoles) }}
+{{- if or (not (has $role_type $dot.Values.defaultRoles)) ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }}
{{ $name = include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
{{- end }}
---
name: {{ $name }}
apiGroup: rbac.authorization.k8s.io
{{- end }}
-
{{/*
# Copyright © 2020 Orange
+# Modifications Copyright © 2023 Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
verbs:
- create
{{- end }}
+{{- else if or ($dot.Values.global.createDefaultRoles) ($dot.Values.createDefaultRoles) }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot ) }}
+ namespace: {{ include "common.namespace" $dot }}
+rules:
+{{- if eq $role_type "read" }}
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ - batch
+ - extensions
+ resources:
+ - pods
+ - deployments
+ - deployments/status
+ - jobs
+ - jobs/status
+ - statefulsets
+ - replicasets
+ - replicasets/status
+ - daemonsets
+ verbs:
+ - get
+ - watch
+ - list
+{{- else }}
+{{- if eq $role_type "create" }}
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ - batch
+ - extensions
+ resources:
+ - pods
+ - deployments
+ - deployments/status
+ - jobs
+ - jobs/status
+ - statefulsets
+ - replicasets
+ - replicasets/status
+ - daemonsets
+ - secrets
+ - services
+ verbs:
+ - get
+ - watch
+ - list
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - statefulsets
+ - configmaps
+ verbs:
+ - patch
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - deployments
+ - secrets
+ - services
+ - pods
+ verbs:
+ - create
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods
+ - persistentvolumeclaims
+ - secrets
+ - deployments
+ - services
+ verbs:
+ - delete
+- apiGroups:
+ - "" # "" indicates the core API group
+ - apps
+ resources:
+ - pods/exec
+ verbs:
+ - create
+- apiGroups:
+ - cert-manager.io
+ resources:
+ - certificates
+ verbs:
+ - create
+ - delete
+{{- else }}
+# if you don't match read or create, then you're not allowed to use API
+# except to see basic information about yourself
+- apiGroups:
+ - authorization.k8s.io
+ resources:
+ - selfsubjectaccessreviews
+ - selfsubjectrulesreviews
+ verbs:
+ - create
+{{- end }}
+{{- end }}
{{- end }}
{{- end }}
# Copyright © 2020 Samsung Electronics
+# Modifications Copyright © 2023 Deutsche Telekom AG
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# See the License for the specific language governing permissions and
# limitations under the License.
-# Default roles will be created by roles wrapper
-# It won't work if roles wrapper is disabled.
+# Global flag to enable the creation of default roles instead of using
+# common roles-wrapper
+global:
+ createDefaultRoles: false
+
+# Default roles will be created by roles wrapper,
+# if "createDefaultRoles=false"
roles:
- nothing
# - read
# - create
+# Flag to enable the creation of default roles instead of using
+# common roles-wrapper
+createDefaultRoles: false
defaultRoles:
- nothing
- read
storageclassProvisioner: kubernetes.io/no-provisioner
volumeReclaimPolicy: Retain
+ # Global flag to enable the creation of default roles instead of using
+ # common roles-wrapper
+ createDefaultRoles: false
+
# override default resource limit flavor for all charts
flavor: unlimited
Code Review / oom.git / commitdiff