rancher-partner-charts/charts/kasten/k10/templates/rbac.yaml

294 lines
6.7 KiB
YAML

{{- $main := . -}}
{{- $apiDomain := include "apiDomain" . -}}
{{- $actionsAPIs := splitList " " (include "k10.actionsAPIs" .) -}}
{{- $aggregatedAPIs := splitList " " (include "k10.aggregatedAPIs" .) -}}
{{- $appsAPIs := splitList " " (include "k10.appsAPIs" .) -}}
{{- $authAPIs := splitList " " (include "k10.authAPIs" .) -}}
{{- $configAPIs := splitList " " (include "k10.configAPIs" .) -}}
{{- $distAPIs := splitList " " (include "k10.distAPIs" .) -}}
{{- $reportingAPIs := splitList " " (include "k10.reportingAPIs" .) -}}
{{- if .Values.rbac.create }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: {{ template "serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- if not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .) )}}
- kind: ServiceAccount
name: {{ template "meteringServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-admin
rules:
- apiGroups:
{{- range sortAlpha (concat $aggregatedAPIs $configAPIs $reportingAPIs) }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- "*"
verbs:
- "*"
- apiGroups:
- cr.kanister.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- namespaces
verbs:
- create
- get
- list
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-ns-admin
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
- "apps"
resources:
- deployments
- pods
verbs:
- get
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- update
- apiGroups:
- "batch"
resources:
- jobs
verbs:
- get
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-mc-admin
rules:
- apiGroups:
{{- range sortAlpha (concat $authAPIs $configAPIs $distAPIs) }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- secrets
verbs:
- "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-basic
rules:
- apiGroups:
{{- range sortAlpha $actionsAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.backupActions" $main}}
- {{ include "k10.backupActionsDetails" $main}}
- {{ include "k10.restoreActions" $main}}
- {{ include "k10.restoreActionsDetails" $main}}
- {{ include "k10.exportActions" $main}}
- {{ include "k10.exportActionsDetails" $main}}
- {{ include "k10.cancelActions" $main}}
verbs:
- "*"
- apiGroups:
{{- range sortAlpha $appsAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.restorePoints" $main}}
- {{ include "k10.restorePointsDetails" $main}}
- {{ include "k10.applications" $main}}
- {{ include "k10.applicationsDetails" $main}}
verbs:
- "*"
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
{{- range sortAlpha $configAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.policies" $main}}
verbs:
- "*"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-config-view
rules:
- apiGroups:
{{- range sortAlpha $configAPIs }}
- {{ . }}.{{ $apiDomain }}
{{- end }}
resources:
- {{ include "k10.profiles" $main}}
- {{ include "k10.policies" $main}}
- {{ include "k10.policypresets" $main}}
verbs:
- get
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Release.Name }}-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: k10:admins
{{- range .Values.auth.k10AdminUsers }}
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ . }}
{{- end }}
{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }}
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ . }}
{{- end }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-ns-admin
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-ns-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: k10:admins
{{- range .Values.auth.k10AdminUsers }}
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ . }}
{{- end }}
{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }}
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ . }}
{{- end }}
{{- end }}
{{- if and .Values.rbac.create (not .Values.prometheus.rbac.create) }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
{{ include "k10.defaultRBACLabels" . | indent 4 }}
name: {{ .Release.Name }}-prometheus-server
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
resources:
- nodes
- nodes/proxy
- nodes/metrics
- services
- endpoints
- pods
- ingresses
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
- ingresses
verbs:
- get
- list
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
labels:
{{ include "helm.labels" . | indent 4 }}
name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-prometheus-server
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ .Release.Name }}-prometheus-server
subjects:
- kind: ServiceAccount
name: prometheus-server
namespace: {{ .Release.Namespace }}
{{- end }}