diff --git a/namespace-config/Chart.yaml b/namespace-config/Chart.yaml index 2e7e60b3d..f6da8d2e9 100644 --- a/namespace-config/Chart.yaml +++ b/namespace-config/Chart.yaml @@ -15,6 +15,6 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Namespace Config name: namespace-config -version: 0.1.0 +version: 0.1.1 home: https://kubernetes.io/docs/concepts/policy/limit-range/ ... diff --git a/namespace-config/templates/psp-rbac.yaml b/namespace-config/templates/psp-rbac.yaml new file mode 100644 index 000000000..916a2c1c6 --- /dev/null +++ b/namespace-config/templates/psp-rbac.yaml @@ -0,0 +1,29 @@ +{{- if (not (empty .Values.podSecurityPolicy.existingPsp)) -}} +{{- $name := printf "psp:%s:%s" .Release.Name .Values.podSecurityPolicy.existingPsp -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $name }} +subjects: +- kind: Group + name: system:serviceaccounts:{{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} +rules: +- apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ .Values.podSecurityPolicy.existingPsp }} +{{- end -}} diff --git a/namespace-config/values.yaml b/namespace-config/values.yaml index 1df4eb122..ae3311d81 100644 --- a/namespace-config/values.yaml +++ b/namespace-config/values.yaml @@ -24,4 +24,10 @@ limits: defaultRequest: cpu: 0.1 memory: 64Mi + +podSecurityPolicy: + # Optionally specify the name of an existing pod security policy. + # If specified, a role and rolebinding will be created granting access for + # service accounts in this namespace to use existingPsp. + existingPsp: "" ... diff --git a/releasenotes/notes/namespace-config.yaml b/releasenotes/notes/namespace-config.yaml index deb05966e..42d525ee3 100644 --- a/releasenotes/notes/namespace-config.yaml +++ b/releasenotes/notes/namespace-config.yaml @@ -1,4 +1,5 @@ --- namespace-config: - 0.1.0 Initial Chart + - 0.1.1 Grant access to existing PodSecurityPolicy ...