djpbessems/ContainerImage.Pinniped
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add RBAC for autoregistration

Browse Source 
- Also fix mistakes in the deployment.yaml
- Also hardcode the ownerRef kind and version because otherwise we get an error

Signed-off-by: Monis Khan <mok@vmware.com>
This commit is contained in:
Ryan Richard 2020-07-17 14:42:02 -07:00 committed by Monis Khan
parent 611859f04a
commit 260a271859
3 changed files with 79 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
deploy/deployment.yaml
View File

@ -9,6 +9,12 @@ metadata:
name: #@ data.values.namespace
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: #@ data.values.app_name + "-service-account"
namespace: #@ data.values.namespace
---
apiVersion: v1
kind: ConfigMap
metadata:
name: #@ data.values.app_name + "-config"
@ -39,6 +45,7 @@ spec:
labels:
app: #@ data.values.app_name
spec:
serviceAccountName: #@ data.values.app_name + "-service-account"
containers:
- name: placeholder-name
#@ if data.values.image_digest:
@ -48,25 +55,25 @@ spec:
#@ end
imagePullPolicy: IfNotPresent
command:
- ./app
- --config=/etc/config/placeholder-config.yaml
- --downward-api-path=/etc/podinfo
- ./app
args:
- --config=/etc/config/placeholder-config.yaml
- --downward-api-path=/etc/podinfo
volumeMounts:
- name: config-volume
mountPath: /etc/config
- name: config-volume
mountPath: /etc/config
- name: podinfo
mountPath: /etc/podinfo
volumes:
- name: config-volume
configMap:
name: #@ data.values.app_name + "-config"
- name: config-volume
configMap:
name: #@ data.values.app_name + "-config"
- name: podinfo
mountPath: /etc/podinfo
volumes:
- name: podinfo
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace
downwardAPI:
items:
- path: "labels"
fieldRef:
fieldPath: metadata.labels
- path: "namespace"
fieldRef:
fieldPath: metadata.namespace

51
deploy/rbac.yaml Normal file
View File

@ -0,0 +1,51 @@
#@ load("@ytt:data", "data")
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
rules:
- apiGroups: [""]
resources: [namespaces]
verbs: [get, list, watch]
- apiGroups: [apiregistration.k8s.io]
resources: [apiservices]
verbs: [create, get, list, patch, update, watch]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role-binding"
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name + "-service-account"
namespace: #@ data.values.namespace
roleRef:
kind: ClusterRole
name: #@ data.values.app_name + "-aggregated-api-server-cluster-role"
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: #@ data.values.app_name + "-aggregated-api-server-role"
namespace: #@ data.values.namespace
rules:
- apiGroups: [""]
resources: [services]
verbs: [create, get, list, patch, update, watch]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: #@ data.values.app_name + "-aggregated-api-server-role-binding"
namespace: #@ data.values.namespace
subjects:
- kind: ServiceAccount
name: #@ data.values.app_name + "-service-account"
namespace: #@ data.values.namespace
roleRef:
kind: Role
name: #@ data.values.app_name + "-aggregated-api-server-role"
apiGroup: rbac.authorization.k8s.io

4
internal/autoregistration/autoregistration.go
View File

@ -64,8 +64,8 @@ func Setup(ctx context.Context, options SetupOptions) error {
Port: &svc.Spec.Ports[0].Port,
}
apiSvc.ObjectMeta.OwnerReferences = []metav1.OwnerReference{{
APIVersion: ns.APIVersion,
Kind: ns.Kind,
APIVersion: "v1", // TODO why did we need to hardcode this to avoid errors? was ns.APIVersion
Kind: "Namespace", // TODO why did we need to hardcode this to avoid errors? was ns.Kind
UID: ns.UID,
Name: ns.Name,
}}