Skip to content

Commit 268294e

Browse files
n3wscottpmorie
n3wscott
authored and
pmorie
committed
Adding rbac definition for v1 api endpoint. (#1284)
* Duplicating rbac definition for v1 api endpoint. * Now using a variable for version. * Fixing variable assignment. * Wondering if ordering matters. * Fixing assignment for apiVerison. * Working version of v1 vs v1beta1 rbac selection.
1 parent 103288d commit 268294e

File tree

3 files changed

+26
-11
lines changed

3 files changed

+26
-11
lines changed

charts/catalog/templates/_helpers.tpl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
77
{{- define "fullname" -}}
88
{{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}}
99
{{- end -}}
10+
11+
{{/*
12+
Conditionally print out rbac api verison.
13+
This will select v1 before v1beta1 if both are available.
14+
*/}}
15+
{{- define "rbacApiVersion" -}}
16+
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
17+
rbac.authorization.k8s.io/v1
18+
{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}}
19+
rbac.authorization.k8s.io/v1beta1
20+
{{- end -}}
21+
{{- end -}}

charts/catalog/templates/rbac.yaml

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,13 @@
1-
{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
1+
{{- if .Values.rbacEnable }}
22
apiVersion: v1
33
kind: List
44
items:
55

66
### API Server ###
7-
7+
88
# TODO: if this is just for namespace lifecycle admission, move to a generic role
99
# the role for the apiserver
10-
- apiVersion: rbac.authorization.k8s.io/v1beta1
10+
- apiVersion: {{template "rbacApiVersion" . }}
1111
kind: ClusterRole
1212
metadata:
1313
name: "servicecatalog.k8s.io:apiserver"
@@ -18,7 +18,7 @@ items:
1818
resources: ["namespaces"]
1919
verbs: ["get", "list", "watch"]
2020
# API-server service-account gets its own role
21-
- apiVersion: rbac.authorization.k8s.io/v1beta1
21+
- apiVersion: {{template "rbacApiVersion" . }}
2222
kind: ClusterRoleBinding
2323
metadata:
2424
name: "servicecatalog.k8s.io:apiserver"
@@ -33,7 +33,7 @@ items:
3333
namespace: "{{ .Release.Namespace }}"
3434
# apiserver gets the auth-delegator role to delegate auth decisions to
3535
# the core apiserver
36-
- apiVersion: rbac.authorization.k8s.io/v1beta1
36+
- apiVersion: {{template "rbacApiVersion" . }}
3737
kind: ClusterRoleBinding
3838
metadata:
3939
name: "servicecatalog.k8s.io:apiserver-auth-delegator"
@@ -49,7 +49,7 @@ items:
4949
# apiserver gets the ability to read authentication. This allows it to
5050
# read the specific configmap that has the requestheader-* entries to
5151
# enable api aggregation
52-
- apiVersion: rbac.authorization.k8s.io/v1beta1
52+
- apiVersion: {{template "rbacApiVersion" . }}
5353
kind: RoleBinding
5454
metadata:
5555
name: "servicecatalog.k8s.io:apiserver-authentication-reader"
@@ -69,7 +69,7 @@ items:
6969
# controller-manager role defines what access the service-catalog
7070
# controller-manager needs to manage the resources of the
7171
# service-catalog
72-
- apiVersion: rbac.authorization.k8s.io/v1beta1
72+
- apiVersion: {{template "rbacApiVersion" . }}
7373
kind: ClusterRole
7474
metadata:
7575
name: "servicecatalog.k8s.io:controller-manager"
@@ -98,7 +98,7 @@ items:
9898
resources: ["clusterservicebrokers/status","serviceinstances/status","serviceinstances/reference","servicebindings/status"]
9999
verbs: ["update"]
100100
# give the controller-manager service account access to whats defined in its role.
101-
- apiVersion: rbac.authorization.k8s.io/v1beta1
101+
- apiVersion: {{template "rbacApiVersion" . }}
102102
kind: ClusterRoleBinding
103103
metadata:
104104
name: "servicecatalog.k8s.io:controller-manager"
@@ -114,7 +114,7 @@ items:
114114

115115
# This gives create/update access to an endpoint in kube-system for leader election
116116
# TODO: use an object other than endpoints, and in the same namespace as the service catalog, not in kube-system
117-
- apiVersion: rbac.authorization.k8s.io/v1beta1
117+
- apiVersion: {{template "rbacApiVersion" . }}
118118
kind: Role
119119
metadata:
120120
name: "servicecatalog.k8s.io:leader-locking-controller-manager"
@@ -127,7 +127,7 @@ items:
127127
resources: ["endpoints"]
128128
resourceNames: ["service-catalog-controller-manager"]
129129
verbs: ["get","update"]
130-
- apiVersion: rbac.authorization.k8s.io/v1beta1
130+
- apiVersion: {{template "rbacApiVersion" . }}
131131
kind: RoleBinding
132132
metadata:
133133
name: service-catalog-controller-manager
@@ -141,4 +141,4 @@ items:
141141
kind: ServiceAccount
142142
name: "{{ .Values.controllerManager.serviceAccount }}"
143143
namespace: "{{ .Release.Namespace }}"
144-
{{ end }}
144+
{{end}}

charts/catalog/values.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
# Default values for Service Catalog
22
# determines whether the API server should be registered with the kube-aggregator
33
useAggregator: false
4+
## If true, create & use RBAC resources
5+
##
6+
rbacEnable: true
47
apiserver:
58
# apiserver image to use
69
image: quay.io/kubernetes-service-catalog/apiserver:v0.1.0-rc1

0 commit comments

Comments
 (0)