From 0fa6c17485dd473ee80303f605fc560ed86ff5f3 Mon Sep 17 00:00:00 2001 From: Dunemask Date: Wed, 24 Jan 2024 09:47:34 -0700 Subject: [PATCH 1/3] [FEATURE] Value for cluster wide resources --- templates/clusterrole-binding.yaml | 14 ++++++++++++++ templates/clusterrole.yaml | 27 +++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 templates/clusterrole-binding.yaml create mode 100644 templates/clusterrole.yaml diff --git a/templates/clusterrole-binding.yaml b/templates/clusterrole-binding.yaml new file mode 100644 index 0000000..71a98a7 --- /dev/null +++ b/templates/clusterrole-binding.yaml @@ -0,0 +1,14 @@ +{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.clusterWide) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "minecluster.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "minecluster.serviceAccountName" . }} + namespace: {{ .Values.mcl.deploymentNamespace | default .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "minecluster.serviceAccountName" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/templates/clusterrole.yaml b/templates/clusterrole.yaml new file mode 100644 index 0000000..a0fb3e5 --- /dev/null +++ b/templates/clusterrole.yaml @@ -0,0 +1,27 @@ +{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.clusterWide) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "minecluster.serviceAccountName" . }} +rules: +- apiGroups: ["apps"] + resources: + - deployments + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] +- apiGroups: [""] + resources: + - nodes + verbs: ["list"] +- apiGroups: [""] + resources: + - services + - pods + - pods/log + - containers + - persistentvolumeclaims + - secrets + verbs: ["get", "list", "watch", "create", "patch", "update", "delete"] +- apiGroups: ["metrics.k8s.io"] + resources: ["pods"] + verbs: ["list"] +{{- end }} From 19e3b828858192926e5337ac221690c058f824f9 Mon Sep 17 00:00:00 2001 From: Dunemask Date: Wed, 24 Jan 2024 09:48:54 -0700 Subject: [PATCH 2/3] [FEATURE] Created value trigger for previous commit --- values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/values.yaml b/values.yaml index 2339df8..922fb54 100644 --- a/values.yaml +++ b/values.yaml @@ -15,6 +15,7 @@ nameOverride: "" fullnameOverride: "" serviceAccount: + clusterWide: false # Specifies whether a service account should be created create: true # Annotations to add to the service account From a6cf093035d563aa86f222ae350fed8bd14b9b60 Mon Sep 17 00:00:00 2001 From: Dunemask Date: Wed, 24 Jan 2024 10:15:45 -0700 Subject: [PATCH 3/3] [FEATURE] Fixed CRB roleref --- templates/clusterrole-binding.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/clusterrole-binding.yaml b/templates/clusterrole-binding.yaml index 71a98a7..0a5e7d4 100644 --- a/templates/clusterrole-binding.yaml +++ b/templates/clusterrole-binding.yaml @@ -8,7 +8,7 @@ subjects: name: {{ include "minecluster.serviceAccountName" . }} namespace: {{ .Values.mcl.deploymentNamespace | default .Release.Namespace }} roleRef: - kind: Role + kind: ClusterRole name: {{ include "minecluster.serviceAccountName" . }} apiGroup: rbac.authorization.k8s.io {{- end }}