Skip to content

Commit

Permalink
Added rbac.customRoles
Browse files Browse the repository at this point in the history
  • Loading branch information
@bastianeicher
bastianeicher committed Jan 13, 2025
1 parent 1b9f940 commit 9904753
Show file tree
Hide file tree
Showing 6 changed files with 64 additions and 6 deletions.
8 changes: 6 additions & 2 deletions charts/generic-service/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -200,8 +200,12 @@ app:
| `sidecarTemplates` | `[]` | Strings to be templated providing additional sidecar containers to be added to the Pod |
| `initContainers` | `[]` | Additional init containers to be added to the `Pod` |
| `initContainerTemplates` | `[]` | Strings to be templated providing additional init containers to be added to the Pod |
| `rbac.roles` | `[]` | Namespace-specific Kubernetes RBAC Roles to assign to the service (supports templating) |
| `rbac.clusterRoles` | `[]` | Cluster-wide Kubernetes RBAC Roles to assign to the service (supports templating) |
| `rbac.roles` | `[]` | Names of namespace-specific Kubernetes RBAC Roles to assign to the service (supports templating) |
| `rbac.clusterRoles` | `[]` | Names of cluster-wide Kubernetes RBAC Roles to assign to the service (supports templating) |
| `rbac.customRoles.ROLE_NAME.apiGroups` | __required if used__ | Namespace-specific Kubernetes RBAC Roles to create and assign to the service (name supports templating). |
| `rbac.customRoles.ROLE_NAME.resources` | __required if used__ | |
| `rbac.customRoles.ROLE_NAME.resourceNames` | `[]` | |
| `rbac.customRoles.ROLE_NAME.verbs` | `__required if used__ | |
| `rbac.existingServiceAccount` | | The name of an existing service account to use (instead of automatically creating one for the service) |
| `global.alertLabels` | `{}` | Additional labels to apply to alert rules |
| `global.grafana.url` | | The URL of a Grafana instance with access to the service's metrics |
Expand Down
6 changes: 6 additions & 0 deletions charts/generic-service/ci/rbac-values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,9 @@ image:
tag: latest
rbac:
clusterRoles: [view]
customRoles:
get-my-map:
apiGroups: [""]
resources: [configmaps]
resourceNames: [my-configmap]
verbs: [get]
2 changes: 1 addition & 1 deletion charts/generic-service/templates/controller.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,7 +190,7 @@ spec:
- name: {{ . }}
{{- end }}

{{- if or .Values.rbac.existingServiceAccount (or .Values.rbac.roles .Values.rbac.clusterRoles) }}
{{- if or .Values.rbac.existingServiceAccount (or .Values.rbac.customRoles .Values.rbac.roles .Values.rbac.clusterRoles) }}
serviceAccountName: '{{ .Values.rbac.existingServiceAccount | default (include "generic-service.fullname" .) }}'
{{- end }}

Expand Down
23 changes: 22 additions & 1 deletion charts/generic-service/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,24 @@
{{- range $name, $rules := .Values.rbac.customRoles -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ tpl $name $ }}
rules:
{{- $rules | toYaml | nindent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ tpl $name $ }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ tpl $name $ }}
subjects:
- kind: ServiceAccount
name: '{{ $.Values.rbac.existingServiceAccount | default (include "generic-service.fullname" $) }}'
---
{{- end }}

{{- range .Values.rbac.roles }}
apiVersion: rbac.authorization.k8s.io/v1
Expand Down Expand Up @@ -32,7 +53,7 @@ subjects:
---
{{- end }}

{{- if and (not .Values.rbac.existingServiceAccount) (or .Values.rbac.roles .Values.rbac.clusterRoles) }}
{{- if and (not .Values.rbac.existingServiceAccount) (or .Values.rbac.customRoles .Values.rbac.roles .Values.rbac.clusterRoles) }}
apiVersion: v1
kind: ServiceAccount
metadata:
Expand Down
30 changes: 28 additions & 2 deletions charts/generic-service/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1409,14 +1409,40 @@
"items": {
"type": "string"
},
"description": "Namespace-specific Kubernetes RBAC Roles to assign to the service (supports templating)"
"description": "Names of namespace-specific Kubernetes RBAC Roles to assign to the service (supports templating)"
},
"clusterRoles": {
"type": "array",
"items": {
"type": "string"
},
"description": "Cluster-wide Kubernetes RBAC Roles to assign to the service (supports templating)"
"description": "Names of cluster-wide Kubernetes RBAC Roles to assign to the service (supports templating)"
},
"customRoles": {
"type": "object",
"additionalProperties": {
"type": "object",
"properties": {
"apiGroups": {
"type": "array",
"items": {"type": "string"}
},
"resources": {
"type": "array",
"items": {"type": "string"}
},
"resourceNames": {
"type": "array",
"items": {"type": "string"}
},
"verbs": {
"type": "array",
"items": {"type": "string"}
}
},
"required": ["apiGroups", "resources", "verbs"]
},
"description": "Namespace-specific Kubernetes RBAC Roles to create and assign to the service (name supports templating)."
},
"existingServiceAccount": {
"type": "string",
Expand Down
1 change: 1 addition & 0 deletions charts/generic-service/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,7 @@ sidecarTemplates: []
rbac:
roles: []
clusterRoles: []
customRoles: {}
existingServiceAccount: ''

global:
Expand Down

0 comments on commit 9904753

Please sign in to comment.