From 0397cd11d410baace4f5156213ca276b4b1c49b6 Mon Sep 17 00:00:00 2001 From: Maxim Filatov Date: Wed, 31 May 2017 23:08:57 +0300 Subject: [PATCH] RBAC support (#1292) With this change deis-controller became available to work in RBAC-only clusters --- charts/controller/templates/_helpers.tmpl | 10 ++++ .../templates/controller-clusterrole.yaml | 59 +++++++++++++++++++ .../controller-clusterrolebinding.yaml | 19 ++++++ charts/controller/values.yaml | 2 + 4 files changed, 90 insertions(+) create mode 100644 charts/controller/templates/_helpers.tmpl create mode 100644 charts/controller/templates/controller-clusterrole.yaml create mode 100644 charts/controller/templates/controller-clusterrolebinding.yaml diff --git a/charts/controller/templates/_helpers.tmpl b/charts/controller/templates/_helpers.tmpl new file mode 100644 index 000000000..0b9deb080 --- /dev/null +++ b/charts/controller/templates/_helpers.tmpl @@ -0,0 +1,10 @@ +{{/* +Set apiVersion based on Kubernetes version +*/}} +{{- define "rbacAPIVersion" -}} +{{- if ge .Capabilities.KubeVersion.Minor "6" -}} +rbac.authorization.k8s.io/v1beta1 +{{- else -}} +rbac.authorization.k8s.io/v1alpha1 +{{- end -}} +{{- end -}} diff --git a/charts/controller/templates/controller-clusterrole.yaml b/charts/controller/templates/controller-clusterrole.yaml new file mode 100644 index 000000000..d0a08470a --- /dev/null +++ b/charts/controller/templates/controller-clusterrole.yaml @@ -0,0 +1,59 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: ClusterRole +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis:deis-controller + labels: + app: deis-controller + heritage: deis +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create", "delete"] +- apiGroups: [""] + resources: ["services"] + verbs: ["get", "list", "create", "update", "delete"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list"] +- apiGroups: [""] + resources: ["events"] + verbs: ["list", "create"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["list", "get", "create", "update", "delete"] +- apiGroups: [""] + resources: ["replicationcontrollers"] + verbs: ["get", "list", "create", "update", "delete"] +- apiGroups: [""] + resources: ["replicationcontrollers/scale"] + verbs: ["get", "update"] +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "delete"] +- apiGroups: [""] + resources: ["resourcequotas"] + verbs: ["get", "create"] +- apiGroups: ["extensions"] + resources: ["replicasets"] + verbs: ["get", "list", "delete", "update"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments"] + verbs: ["get", "list", "create", "update", "delete"] +- apiGroups: ["extensions"] + resources: ["deployments/scale", "replicasets/scale"] + verbs: ["get", "update"] +- apiGroups: ["extensions", "autoscaling"] + resources: ["horizontalpodautoscalers"] + verbs: ["get", "list", "create", "update", "delete"] +{{ if .Values.global.experimental_native_ingress }} +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get", "list", "watch", "create", "update", "delete"] +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/controller/templates/controller-clusterrolebinding.yaml b/charts/controller/templates/controller-clusterrolebinding.yaml new file mode 100644 index 000000000..11e3f55a7 --- /dev/null +++ b/charts/controller/templates/controller-clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: ClusterRoleBinding +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis:deis-controller + labels: + app: deis-controller + heritage: deis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: deis:deis-controller +subjects: +- kind: ServiceAccount + name: deis-controller + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/charts/controller/values.yaml b/charts/controller/values.yaml index 7f33cddbc..692793ac7 100644 --- a/charts/controller/values.yaml +++ b/charts/controller/values.yaml @@ -55,3 +55,5 @@ global: # - true: The deis controller will now create Kubernetes ingress rules for each app, and ingress rules will automatically be created for the controller itself. # - false: The default mode, and the default behavior of Deis workflow. experimental_native_ingress: false + # Role-Based Access Control for Kubernetes >= 1.5 + use_rbac: false