From 4534881264e8a125c7eed68992fe4ef32b204caf Mon Sep 17 00:00:00 2001 From: Sylvain Desbureaux Date: Tue, 19 May 2020 17:46:54 +0200 Subject: [PATCH] [COMMON] Templates for services accounts and roles Create a common chart that will create the relevant service accounts / roles and role binding for ONAP components. Issue-ID: OOM-1971 Signed-off-by: Sylvain Desbureaux Change-Id: I687ef6debe679b5f7f250d75d93ee4da84d97104 --- kubernetes/common/serviceAccount/Chart.yaml | 18 ++++ kubernetes/common/serviceAccount/requirements.yaml | 18 ++++ .../serviceAccount/templates/role-binding.yaml | 33 +++++++ .../common/serviceAccount/templates/role.yaml | 105 +++++++++++++++++++++ .../serviceAccount/templates/service-account.yaml | 24 +++++ kubernetes/common/serviceAccount/values.yaml | 29 ++++++ 6 files changed, 227 insertions(+) create mode 100644 kubernetes/common/serviceAccount/Chart.yaml create mode 100644 kubernetes/common/serviceAccount/requirements.yaml create mode 100644 kubernetes/common/serviceAccount/templates/role-binding.yaml create mode 100644 kubernetes/common/serviceAccount/templates/role.yaml create mode 100644 kubernetes/common/serviceAccount/templates/service-account.yaml create mode 100644 kubernetes/common/serviceAccount/values.yaml diff --git a/kubernetes/common/serviceAccount/Chart.yaml b/kubernetes/common/serviceAccount/Chart.yaml new file mode 100644 index 0000000000..9e838af3a7 --- /dev/null +++ b/kubernetes/common/serviceAccount/Chart.yaml @@ -0,0 +1,18 @@ +# Copyright © 2017 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +description: Template used to create the right Service Accounts / Role / RoleBinding +name: serviceAccount +version: 6.0.0 diff --git a/kubernetes/common/serviceAccount/requirements.yaml b/kubernetes/common/serviceAccount/requirements.yaml new file mode 100644 index 0000000000..237f1d1354 --- /dev/null +++ b/kubernetes/common/serviceAccount/requirements.yaml @@ -0,0 +1,18 @@ +# Copyright © 2018 Amdocs, Bell Canada +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +dependencies: + - name: common + version: ~6.x-0 + repository: 'file://../common' diff --git a/kubernetes/common/serviceAccount/templates/role-binding.yaml b/kubernetes/common/serviceAccount/templates/role-binding.yaml new file mode 100644 index 0000000000..2082f8466b --- /dev/null +++ b/kubernetes/common/serviceAccount/templates/role-binding.yaml @@ -0,0 +1,33 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +# This cluster role binding allows anyone in the "manager" group to read secrets in any namespace. +kind: RoleBinding +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + namespace: {{ include "common.namespace" $dot }} +subjects: +- kind: ServiceAccount + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} +roleRef: + kind: Role + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/kubernetes/common/serviceAccount/templates/role.yaml b/kubernetes/common/serviceAccount/templates/role.yaml new file mode 100644 index 0000000000..73f45b5fce --- /dev/null +++ b/kubernetes/common/serviceAccount/templates/role.yaml @@ -0,0 +1,105 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} + namespace: {{ include "common.namespace" $dot }} +rules: +{{- if eq $role_type "read" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - daemonsets + verbs: + - get + - watch + - list +{{- else }} +{{- if eq $role_type "create" }} +- apiGroups: + - "" # "" indicates the core API group + - apps + - batch + resources: + - pods + - deployments + - jobs + - jobs/status + - statefulsets + - replicasets + - daemonsets + - secrets + verbs: + - get + - watch + - list +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - statefulsets + verbs: + - patch +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - deployments + - secrets + verbs: + - create +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods + - persistentvolumeclaims + - secrets + - deployment + verbs: + - delete +- apiGroups: + - "" # "" indicates the core API group + - apps + resources: + - pods/exec + verbs: + - create +{{- else }} +{{- if hasKey $dot.Values.new_roles_definitions $role_type }} +{{ include "common.tplValue" ( dict "value" (index $dot.Values.new_roles_definitions $role_type ) "context" $dot) }} +{{- else}} +# if you don't match read or create, then you're not allowed to use API +- apiGroups: [] + resources: [] + verbs: [] +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/kubernetes/common/serviceAccount/templates/service-account.yaml b/kubernetes/common/serviceAccount/templates/service-account.yaml new file mode 100644 index 0000000000..449bea684c --- /dev/null +++ b/kubernetes/common/serviceAccount/templates/service-account.yaml @@ -0,0 +1,24 @@ +{{/* +# Copyright © 2020 Orange +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +*/}} + +{{- $dot := . -}} +{{- range $role_type := $dot.Values.roles }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "common.fullname" (dict "suffix" $role_type "dot" $dot )}} +{{- end }} diff --git a/kubernetes/common/serviceAccount/values.yaml b/kubernetes/common/serviceAccount/values.yaml new file mode 100644 index 0000000000..afa819421c --- /dev/null +++ b/kubernetes/common/serviceAccount/values.yaml @@ -0,0 +1,29 @@ +# Copyright © 2020 Samsung Electronics +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +roles: + - nothing +# - read +# - create + +new_roles_definitions: {} +# few-read: +# - apiGroups: +# - "" +# resources: +# - "pods" +# verbs: +# - "get" +# - "watch" +# - "list" -- 2.16.6