X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=blobdiff_plain;ds=sidebyside;f=helm%2Finfrastructure%2Fsubcharts%2Fkong%2Ftemplates%2Fcontroller-rbac-resources.yaml;h=f5873f052c99b0423f6fd627f62b09aa779639b6;hb=75c0de3cae4b58e001f7ec715f13f82ded10e678;hp=22fc78e3f523d3d02d11987b01486a76c41644c9;hpb=7799f9c20d56ceaab38178b7083ed66e63312a0c;p=ric-plt%2Fric-dep.git diff --git a/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml b/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml index 22fc78e..f5873f0 100644 --- a/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml +++ b/helm/infrastructure/subcharts/kong/templates/controller-rbac-resources.yaml @@ -1,9 +1,9 @@ {{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}} -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: {{ template "kong.fullname" . }} - namespace: {{ .Release.namespace }} + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} rules: @@ -35,18 +35,48 @@ rules: - configmaps verbs: - create +{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} - apiGroups: - "" resources: - endpoints verbs: - get +{{- end }} + # Begin KIC 2.x leader permissions + - apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - services + verbs: + - get --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: {{ template "kong.fullname" . }} - namespace: {{ .Release.Namespace }} + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} roleRef: @@ -56,86 +86,85 @@ roleRef: subjects: - kind: ServiceAccount name: {{ template "kong.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ template "kong.namespace" . }} +{{- if eq (len .Values.ingressController.watchNamespaces) 0 }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: {{- include "kong.metaLabels" . | nindent 4 }} - name: {{ template "kong.fullname" . }} + name: {{ template "kong.fullname" . }} rules: - - apiGroups: - - "" - resources: - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - - "networking.k8s.io" - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - "configuration.konghq.com" - resources: - - kongplugins - - kongcredentials - - kongconsumers - - kongingresses - verbs: - - get - - list - - watch +{{ include "kong.kubernetesRBACRules" . }} +{{ include "kong.kubernetesRBACClusterRules" . }} --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "kong.fullname" . }} + name: {{ template "kong.fullname" . }} labels: {{- include "kong.metaLabels" . | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "kong.fullname" . }} + name: {{ template "kong.fullname" . }} subjects: - kind: ServiceAccount name: {{ template "kong.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ template "kong.namespace" . }} +{{- else }} +{{- range .Values.ingressController.watchNamespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "kong.metaLabels" $ | nindent 4 }} + name: {{ template "kong.fullname" $ }}-{{ . }} + namespace: {{ . }} +rules: +{{ include "kong.kubernetesRBACRules" $ }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kong.fullname" $ }}-{{ . }} + labels: + {{- include "kong.metaLabels" $ | nindent 4 }} + namespace: {{ . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kong.fullname" $ }}-{{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "kong.serviceAccountName" $ }} + namespace: {{ template "kong.namespace" $ }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + name: {{ template "kong.fullname" . }} +rules: +{{ include "kong.kubernetesRBACClusterRules" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kong.fullname" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kong.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kong.serviceAccountName" . }} + namespace: {{ template "kong.namespace" . }} +{{- end -}} {{- end -}}