namespace: {{ include "common.tillerDeployNameSpace" $ctx }}
rules:
- apiGroups: [""]
- resources: ["pods", "pods/portforward"]
- verbs: ["get", "list", "create"]
-
+ resources: ["pods/portforward"]
+ verbs: ["create"]
+- apiGroups: [""]
+ resources: ["pods", "configmaps", "deployments", "services"]
+ verbs: ["get", "list", "create", "delete"]
{{- if or (eq (include "common.tillerTLSVerify" $ctx) "true" ) (eq (include "common.tillerTLSAuthenticate" $ctx) "true") }}
- apiGroups: [""]
resources: ["secrets"]
name: {{ include "common.serviceaccountname.appmgr" . }}
namespace: {{ include "common.namespace.platform" . }}
---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+ name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-getappconfig
+ namespace: {{ include "common.tillerNameSpace" $ctx }}
+rules:
+- apiGroups: [""]
+ resources: ["configmaps"]
+ verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+ name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.namespace.xapp" . }}-getappconfig
+ namespace: {{ include "common.tillerNameSpace" $ctx }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ include "common.serviceaccountname.appmgr" . }}-{{ include "common.tillerNameSpace" $ctx }}-getappconfig
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "common.serviceaccountname.appmgr" . }}
+ namespace: {{ include "common.namespace.platform" . }}