github_mirrors/openappsec
3
0
Fork 1
mirror of https://github.com/openappsec/openappsec.git synced 2025-06-28 16:41:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
openappsec/build_system/charts/open-appsec-kong/templates/controller-rbac-resources.yaml
Ned Wright 795d07bd41 Updating Kong helm chart
2023-06-01 16:15:31 +00:00

171 lines
4.2 KiB
YAML
Raw Blame History

{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<kong-ingress-controller-leader-nginx>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
{{- end }}
# Begin KIC 2.x leader permissions
- apiGroups:
- ""
- coordination.k8s.io
resources:
- configmaps
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- services
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "kong.fullname" . }}
namespace: {{ template "kong.namespace" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
{{- if eq (len .Values.ingressController.watchNamespaces) 0 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
name: {{ template "kong.fullname" . }}
rules:
{{ include "kong.kubernetesRBACRules" . }}
{{ include "kong.kubernetesRBACClusterRules" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kong.fullname" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
{{- else }}
{{- range .Values.ingressController.watchNamespaces }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
{{- include "kong.metaLabels" $ | nindent 4 }}
name: {{ template "kong.fullname" $ }}-{{ . }}
namespace: {{ . }}
rules:
{{ include "kong.kubernetesRBACRules" $ }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "kong.fullname" $ }}-{{ . }}
labels:
{{- include "kong.metaLabels" $ | nindent 4 }}
namespace: {{ . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kong.fullname" $ }}-{{ . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" $ }}
namespace: {{ template "kong.namespace" $ }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
name: {{ template "kong.fullname" . }}
rules:
{{ include "kong.kubernetesRBACClusterRules" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kong.fullname" . }}
labels:
{{- include "kong.metaLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kong.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kong.serviceAccountName" . }}
namespace: {{ template "kong.namespace" . }}
{{- end -}}
{{- end -}}
Reference in New Issue View Git Blame Copy Permalink