andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
rancher-partner-charts/charts/kasten/k10/7.0.701/templates/rbac.yaml

382 lines
8.3 KiB
YAML
Raw Blame History

{{- $main := . -}}
{{- $apiDomain := include "apiDomain" . -}}
{{- $actionsAPIs := splitList " " (include "k10.actionsAPIs" .) -}}
{{- $aggregatedAPIs := splitList " " (include "k10.aggregatedAPIs" .) -}}
{{- $appsAPIs := splitList " " (include "k10.appsAPIs" .) -}}
{{- $authAPIs := splitList " " (include "k10.authAPIs" .) -}}
{{- $configAPIs := splitList " " (include "k10.configAPIs" .) -}}
{{- $distAPIs := splitList " " (include "k10.distAPIs" .) -}}
{{- $reportingAPIs := splitList " " (include "k10.reportingAPIs" .) -}}
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: {{ template "serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .) )}}
- kind: ServiceAccount
name: {{ template "meteringServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-admin
rules:
- apiGroups:
{{- range sortAlpha (concat $aggregatedAPIs $configAPIs $reportingAPIs) }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- "*"
verbs:
- "*"
- apiGroups:
- cr.kanister.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- namespaces
verbs:
- create
- get
- list
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-ns-admin
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- "apps"
resources:
- deployments
verbs:
- get
- update
- watch
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- create
- delete
- list
- apiGroups:
- "apik10.kasten.io"
resources:
- k10s
verbs:
- list
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- "batch"
resources:
- jobs
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- delete
- apiGroups:
- "networking.k8s.io"
resources:
- networkpolicies
verbs:
- get
- create
- list
- delete
- apiGroups:
- ""
resources:
- endpoints
verbs:
- list
- get
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-mc-admin
rules:
- apiGroups:
{{- range sortAlpha (concat $authAPIs $configAPIs $distAPIs) }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- secrets
verbs:
- "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-basic
rules:
- apiGroups:
{{- range sortAlpha $actionsAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.backupActions" $main}}
- {{ include "k10.backupActionsDetails" $main}}
- {{ include "k10.restoreActions" $main}}
- {{ include "k10.restoreActionsDetails" $main}}
- {{ include "k10.exportActions" $main}}
- {{ include "k10.exportActionsDetails" $main}}
- {{ include "k10.cancelActions" $main}}
- {{ include "k10.runActions" $main}}
- {{ include "k10.runActionsDetails" $main}}
verbs:
- "*"
- apiGroups:
{{- range sortAlpha $appsAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.restorePoints" $main}}
- {{ include "k10.restorePointsDetails" $main}}
- {{ include "k10.applications" $main}}
- {{ include "k10.applicationsDetails" $main}}
verbs:
- "*"
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
{{- range sortAlpha $configAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.policies" $main}}
verbs:
- "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-config-view
rules:
- apiGroups:
{{- range sortAlpha $configAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.auditconfigs" $main}}
- {{ include "k10.profiles" $main}}
- {{ include "k10.policies" $main}}
- {{ include "k10.policypresets" $main}}
- {{ include "k10.transformsets" $main}}
- {{ include "k10.blueprintbindings" $main}}
- {{ include "k10.storagesecuritycontexts" $main}}
- {{ include "k10.storagesecuritycontextbindings" $main}}
verbs:
- get
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: k10:admins
{{- range .Values.auth.k10AdminUsers }}
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ . }}
{{- end }}
{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }}
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ . }}
{{- end }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-ns-admin
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-ns-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: k10:admins
{{- range .Values.auth.k10AdminUsers }}
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ . }}
{{- end }}
{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }}
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ . }}
{{- end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-mc-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-mc-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: k10:admins
{{- range .Values.auth.k10AdminUsers }}
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ . }}
{{- end }}
{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }}
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ . }}
{{- end }}
{{- end }}
{{- if and .Values.rbac.create (not .Values.prometheus.rbac.create) }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-prometheus-server
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- nodes
- nodes/proxy
- nodes/metrics
- services
- endpoints
- pods
- ingresses
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
- ingresses
verbs:
- get
- list
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-prometheus-server
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus-server
subjects:
- kind: ServiceAccount
name: prometheus-server
namespace: {{ .Release.Namespace }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink