Skip to content
This repository was archived by the owner on May 6, 2020. It is now read-only.

Commit 0397cd1

Browse files
Bregorvdice
Bregor
authored and
vdice
committed
RBAC support (#1292)
With this change deis-controller became available to work in RBAC-only clusters
1 parent 4b015cd commit 0397cd1

File tree

4 files changed

+90
-0
lines changed

4 files changed

+90
-0
lines changed

charts/controller/templates/_helpers.tmpl

+10
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
{{/*
2+
Set apiVersion based on Kubernetes version
3+
*/}}
4+
{{- define "rbacAPIVersion" -}}
5+
{{- if ge .Capabilities.KubeVersion.Minor "6" -}}
6+
rbac.authorization.k8s.io/v1beta1
7+
{{- else -}}
8+
rbac.authorization.k8s.io/v1alpha1
9+
{{- end -}}
10+
{{- end -}}

charts/controller/templates/controller-clusterrole.yaml

+59
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
{{- if (.Values.global.use_rbac) -}}
2+
{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
3+
kind: ClusterRole
4+
apiVersion: {{ template "rbacAPIVersion" . }}
5+
metadata:
6+
name: deis:deis-controller
7+
labels:
8+
app: deis-controller
9+
heritage: deis
10+
rules:
11+
- apiGroups: [""]
12+
resources: ["namespaces"]
13+
verbs: ["get", "list", "create", "delete"]
14+
- apiGroups: [""]
15+
resources: ["services"]
16+
verbs: ["get", "list", "create", "update", "delete"]
17+
- apiGroups: [""]
18+
resources: ["nodes"]
19+
verbs: ["get", "list"]
20+
- apiGroups: [""]
21+
resources: ["events"]
22+
verbs: ["list", "create"]
23+
- apiGroups: [""]
24+
resources: ["secrets"]
25+
verbs: ["list", "get", "create", "update", "delete"]
26+
- apiGroups: [""]
27+
resources: ["replicationcontrollers"]
28+
verbs: ["get", "list", "create", "update", "delete"]
29+
- apiGroups: [""]
30+
resources: ["replicationcontrollers/scale"]
31+
verbs: ["get", "update"]
32+
- apiGroups: [""]
33+
resources: ["pods/log"]
34+
verbs: ["get"]
35+
- apiGroups: [""]
36+
resources: ["pods"]
37+
verbs: ["get", "list", "delete"]
38+
- apiGroups: [""]
39+
resources: ["resourcequotas"]
40+
verbs: ["get", "create"]
41+
- apiGroups: ["extensions"]
42+
resources: ["replicasets"]
43+
verbs: ["get", "list", "delete", "update"]
44+
- apiGroups: ["extensions", "apps"]
45+
resources: ["deployments"]
46+
verbs: ["get", "list", "create", "update", "delete"]
47+
- apiGroups: ["extensions"]
48+
resources: ["deployments/scale", "replicasets/scale"]
49+
verbs: ["get", "update"]
50+
- apiGroups: ["extensions", "autoscaling"]
51+
resources: ["horizontalpodautoscalers"]
52+
verbs: ["get", "list", "create", "update", "delete"]
53+
{{ if .Values.global.experimental_native_ingress }}
54+
- apiGroups: ["extensions"]
55+
resources: ["ingresses"]
56+
verbs: ["get", "list", "watch", "create", "update", "delete"]
57+
{{- end -}}
58+
{{- end -}}
59+
{{- end -}}

charts/controller/templates/controller-clusterrolebinding.yaml

+19
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
{{- if (.Values.global.use_rbac) -}}
2+
{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
3+
kind: ClusterRoleBinding
4+
apiVersion: {{ template "rbacAPIVersion" . }}
5+
metadata:
6+
name: deis:deis-controller
7+
labels:
8+
app: deis-controller
9+
heritage: deis
10+
roleRef:
11+
apiGroup: rbac.authorization.k8s.io
12+
kind: ClusterRole
13+
name: deis:deis-controller
14+
subjects:
15+
- kind: ServiceAccount
16+
name: deis-controller
17+
namespace: {{ .Release.Namespace }}
18+
{{- end -}}
19+
{{- end -}}

charts/controller/values.yaml

+2
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,5 @@ global:
5555
# - true: The deis controller will now create Kubernetes ingress rules for each app, and ingress rules will automatically be created for the controller itself.
5656
# - false: The default mode, and the default behavior of Deis workflow.
5757
experimental_native_ingress: false
58+
# Role-Based Access Control for Kubernetes >= 1.5
59+
use_rbac: false

0 commit comments

Comments
 (0)