openstack/openstack-helm-infra
Code Issues Proposed changes

NFS: RBAC rules

Browse Source 
This PS adds the RBAC policy for the NFS provsioner.

Change-Id: I1bb8cc267eaa7e6899dea10e7d02fdafa4c1903e
This commit is contained in:
intlabs 2017-11-02 21:35:24 -05:00 committed by Pete Birley
parent 72b644b66a
commit 8d290a20f5
5 changed files with 132 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
nfs-provisioner/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,76 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.clusterrole }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: nfs-provisioner-runner
rules:
- apiGroups:
- ''
resources:
- persistentvolumes
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- ''
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- update
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- events
verbs:
- list
- watch
- create
- update
- patch
- apiGroups:
- ''
resources:
- services
- endpoints
verbs:
- get
- apiGroups:
- extensions
resources:
- podsecuritypolicies
resourceNames:
- nfs-provisioner
verbs:
- use
{{- end }}

30
nfs-provisioner/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,30 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.clusterrolebinding }}
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: run-nfs-provisioner
subjects:
- kind: ServiceAccount
name: nfs-provisioner
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: nfs-provisioner-runner
apiGroup: rbac.authorization.k8s.io
{{- end }}

1
nfs-provisioner/templates/deployment.yaml
View File

@ -35,6 +35,7 @@ spec:
labels: labels:
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }} {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec: spec:
serviceAccount: nfs-provisioner
affinity: affinity:
{{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }} {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector: nodeSelector:

22
nfs-provisioner/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.serviceaccount }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfs-provisioner
{{- end }}

3
nfs-provisioner/values.yaml
View File

@ -111,8 +111,11 @@ endpoints:
manifests: manifests:
configmap_bin: true configmap_bin: true
clusterrole: true
clusterrolebinding: true
deployment: true deployment: true
job_image_repo_sync: true job_image_repo_sync: true
rbac_entrypoint: true rbac_entrypoint: true
service: true service: true
serviceaccount: true
storage_class: true storage_class: true