diff --git a/charts/builder/templates/_helpers.tmpl b/charts/builder/templates/_helpers.tmpl new file mode 100644 index 0000000..0b9deb0 --- /dev/null +++ b/charts/builder/templates/_helpers.tmpl @@ -0,0 +1,10 @@ +{{/* +Set apiVersion based on Kubernetes version +*/}} +{{- define "rbacAPIVersion" -}} +{{- if ge .Capabilities.KubeVersion.Minor "6" -}} +rbac.authorization.k8s.io/v1beta1 +{{- else -}} +rbac.authorization.k8s.io/v1alpha1 +{{- end -}} +{{- end -}} diff --git a/charts/builder/templates/builder-clusterrole.yaml b/charts/builder/templates/builder-clusterrole.yaml new file mode 100644 index 0000000..f8bd3b3 --- /dev/null +++ b/charts/builder/templates/builder-clusterrole.yaml @@ -0,0 +1,15 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: ClusterRole +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis:deis-builder + labels: + app: deis-builder + heritage: deis +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list"] +{{- end -}} +{{- end -}} diff --git a/charts/builder/templates/builder-clusterrolebinding.yaml b/charts/builder/templates/builder-clusterrolebinding.yaml new file mode 100644 index 0000000..521d87e --- /dev/null +++ b/charts/builder/templates/builder-clusterrolebinding.yaml @@ -0,0 +1,19 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: ClusterRoleBinding +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis:deis-builder + labels: + app: deis-builder + heritage: deis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: deis:deis-builder +subjects: +- kind: ServiceAccount + name: deis-builder + namespace: {{ .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/charts/builder/templates/builder-role.yaml b/charts/builder/templates/builder-role.yaml new file mode 100644 index 0000000..092084e --- /dev/null +++ b/charts/builder/templates/builder-role.yaml @@ -0,0 +1,21 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: Role +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis-builder + labels: + app: deis-builder + heritage: deis +rules: +- apiGroups: [""] + resources: ["secrets"] + verbs: ["create", "update", "delete"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["create", "get", "watch", "list"] +- apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] +{{- end -}} +{{- end -}} diff --git a/charts/builder/templates/builder-rolebinding.yaml b/charts/builder/templates/builder-rolebinding.yaml new file mode 100644 index 0000000..417aa7b --- /dev/null +++ b/charts/builder/templates/builder-rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: RoleBinding +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis-builder + labels: + app: deis-builder + heritage: deis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: deis-builder +subjects: +- kind: ServiceAccount + name: deis-builder +{{- end -}} +{{- end -}} diff --git a/charts/builder/values.yaml b/charts/builder/values.yaml index 4ceedb6..9853a2d 100644 --- a/charts/builder/values.yaml +++ b/charts/builder/values.yaml @@ -12,3 +12,5 @@ global: # - true: The deis controller will now create Kubernetes ingress rules for each app, and ingress rules will automatically be created for the controller itself. # - false: The default mode, and the default behavior of Deis workflow. experimental_native_ingress: false + # Role-Based Access Control for Kubernetes >= 1.5 + use_rbac: false