Code Review / ric-plt / ric-dep.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
J release changes
[ric-plt/ric-dep.git] / helm / infrastructure / subcharts / kong / templates / controller-rbac-resources.yaml
diff --git a/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml b/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml
index 22fc78e..f5873f0 100644 (file)
--- a/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml
+++ b/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml
@@ -1,9 +1,9 @@
 {{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}}
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name:  {{ template "kong.fullname" . }}
-  namespace: {{ .Release.namespace }}
+  name: {{ template "kong.fullname" . }}
+  namespace: {{ template "kong.namespace" . }}
   labels:
     {{- include "kong.metaLabels" . | nindent 4 }}
 rules:
@@ -35,18 +35,48 @@ rules:
       - configmaps
     verbs:
       - create
+{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }}
   - apiGroups:
       - ""
     resources:
       - endpoints
     verbs:
       - get
+{{- end }}
+  # Begin KIC 2.x leader permissions
+  - apiGroups:
+      - ""
+      - coordination.k8s.io
+    resources:
+      - configmaps
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name:  {{ template "kong.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  name: {{ template "kong.fullname" . }}
+  namespace: {{ template "kong.namespace" . }}
   labels:
     {{- include "kong.metaLabels" . | nindent 4 }}
 roleRef:
@@ -56,86 +86,85 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ template "kong.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ template "kong.namespace" . }}
+{{- if eq (len .Values.ingressController.watchNamespaces) 0 }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
     {{- include "kong.metaLabels" . | nindent 4 }}
-  name:  {{ template "kong.fullname" . }}
+  name: {{ template "kong.fullname" . }}
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - endpoints
-      - nodes
-      - pods
-      - secrets
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-  - apiGroups:
-      - ""
-    resources:
-      - services
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - "extensions"
-      - "networking.k8s.io"
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-        - events
-    verbs:
-        - create
-        - patch
-  - apiGroups:
-      - "extensions"
-      - "networking.k8s.io"
-    resources:
-      - ingresses/status
-    verbs:
-      - update
-  - apiGroups:
-      - "configuration.konghq.com"
-    resources:
-      - kongplugins
-      - kongcredentials
-      - kongconsumers
-      - kongingresses
-    verbs:
-      - get
-      - list
-      - watch
+{{ include "kong.kubernetesRBACRules" . }}
+{{ include "kong.kubernetesRBACClusterRules" . }}
 ---
-apiVersion: rbac.authorization.k8s.io/v1beta1
+apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name:  {{ template "kong.fullname" . }}
+  name: {{ template "kong.fullname" . }}
   labels:
     {{- include "kong.metaLabels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name:  {{ template "kong.fullname" . }}
+  name: {{ template "kong.fullname" . }}
 subjects:
   - kind: ServiceAccount
     name: {{ template "kong.serviceAccountName" . }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ template "kong.namespace" . }}
+{{- else }}
+{{- range .Values.ingressController.watchNamespaces }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    {{- include "kong.metaLabels" $ | nindent 4 }}
+  name: {{ template "kong.fullname" $ }}-{{ . }}
+  namespace: {{ . }}
+rules:
+{{ include "kong.kubernetesRBACRules" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "kong.fullname" $ }}-{{ . }}
+  labels:
+    {{- include "kong.metaLabels" $ | nindent 4 }}
+  namespace: {{ . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "kong.fullname" $ }}-{{ . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kong.serviceAccountName" $ }}
+    namespace: {{ template "kong.namespace" $ }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "kong.metaLabels" . | nindent 4 }}
+  name: {{ template "kong.fullname" . }}
+rules:
+{{ include "kong.kubernetesRBACClusterRules" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kong.fullname" . }}
+  labels:
+    {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kong.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kong.serviceAccountName" . }}
+    namespace: {{ template "kong.namespace" . }}
+{{- end -}}
 {{- end -}}