{{- if and .Values.rbac .Values.leastPrivilege -}} {{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}} {{- if $oc3 }} apiVersion: authorization.openshift.io/v1 {{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} apiVersion: v1 {{- end }} kind: RoleBinding metadata: name: neuvector-binding-scanner namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io kind: Role {{- end }} name: neuvector-binding-scanner subjects: - kind: ServiceAccount name: controller namespace: {{ .Release.Namespace }} - kind: ServiceAccount name: updater namespace: {{ .Release.Namespace }} {{- if $oc3 }} userNames: - system:serviceaccount:{{ .Release.Namespace }}:controller {{- end }} --- {{- if $oc3 }} apiVersion: authorization.openshift.io/v1 {{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }} apiVersion: rbac.authorization.k8s.io/v1 {{- else }} apiVersion: v1 {{- end }} kind: RoleBinding metadata: name: neuvector-binding-secret namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} heritage: Helm roleRef: {{- if not $oc3 }} apiGroup: rbac.authorization.k8s.io kind: Role {{- end }} name: neuvector-binding-secret subjects: - kind: ServiceAccount name: controller namespace: {{ .Release.Namespace }} {{- if $oc3 }} userNames: - system:serviceaccount:{{ .Release.Namespace }}:controller {{- end }} --- {{- if $oc4 }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system:openshift:scc:privileged namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:privileged subjects: - kind: ServiceAccount name: enforcer namespace: {{ .Release.Namespace }} --- allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegeEscalation: false allowPrivilegedContainer: false allowedCapabilities: null apiVersion: security.openshift.io/v1 defaultAddCapabilities: null fsGroup: type: RunAsAny groups: [] kind: SecurityContextConstraints metadata: name: neuvector-scc-controller priority: null readOnlyRootFilesystem: false requiredDropCapabilities: - ALL runAsUser: type: RunAsAny seLinuxContext: type: RunAsAny supplementalGroups: type: RunAsAny users: [] volumes: - configMap - downwardAPI - emptyDir - persistentVolumeClaim - azureFile - projected - secret --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:openshift:scc:neuvector-scc-controller labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} heritage: Helm rules: - apiGroups: - security.openshift.io resourceNames: - neuvector-scc-controller resources: - securitycontextconstraints verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: system:openshift:scc:neuvector-scc-controller namespace: {{ .Release.Namespace }} labels: chart: {{ template "neuvector.chart" . }} release: {{ .Release.Name }} heritage: Helm roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: system:openshift:scc:neuvector-scc-controller subjects: - kind: ServiceAccount name: controller namespace: {{ .Release.Namespace }} {{- end }} {{- end }}