From e18b6fdddc58e4acf359f0f4941f42117e5a1f0a Mon Sep 17 00:00:00 2001 From: Andrew Keesler Date: Mon, 21 Sep 2020 14:16:32 -0400 Subject: [PATCH] deploy: add kube-cert-agent deployment knobs --- deploy/deployment.yaml | 7 +++++++ deploy/rbac.yaml | 10 +++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml index fc0b5369..a83c571c 100644 --- a/deploy/deployment.yaml +++ b/deploy/deployment.yaml @@ -38,6 +38,13 @@ data: servingCertificateSecret: (@= data.values.app_name + "-api-tls-serving-certificate" @) credentialIssuerConfig: (@= data.values.app_name + "-config" @) apiService: (@= data.values.app_name + "-api" @) + kubeCertAgent: + namePrefix: (@= data.values.app_name + "-kube-cert-agent-" @) + (@ if data.values.image_digest: @) + image: (@= data.values.image_repo + "@" + data.values.image_digest @) + (@ else: @) + image: (@= data.values.image_repo + ":" + data.values.image_tag @) + (@ end @) --- #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": apiVersion: v1 diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml index 9ef976b3..5f02c6ca 100644 --- a/deploy/rbac.yaml +++ b/deploy/rbac.yaml @@ -65,17 +65,17 @@ roleRef: name: #@ data.values.app_name + "-aggregated-api-server" apiGroup: rbac.authorization.k8s.io -#! Give permission to list pods and pod exec in the kube-system namespace so we can find the API server's private key +#! Give permission to CRUD pods and pod exec in the kube-system namespace so we can find the API server's private key --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: #@ data.values.app_name + "-kube-system-pod-exec" + name: #@ data.values.app_name + "-kube-system-pod-read-write" namespace: kube-system rules: - apiGroups: [""] resources: [pods] - verbs: [get, list] + verbs: [create, get, list, patch, update, watch, delete] - apiGroups: [""] resources: [pods/exec] verbs: [create] @@ -83,7 +83,7 @@ rules: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: #@ data.values.app_name + "-kube-system-pod-exec" + name: #@ data.values.app_name + "-kube-system-pod-read-write" namespace: kube-system subjects: - kind: ServiceAccount @@ -91,7 +91,7 @@ subjects: namespace: #@ data.values.namespace roleRef: kind: Role - name: #@ data.values.app_name + "-kube-system-pod-exec" + name: #@ data.values.app_name + "-kube-system-pod-read-write" apiGroup: rbac.authorization.k8s.io #! Allow both authenticated and unauthenticated TokenCredentialRequests (i.e. allow all requests)