diff --git a/charts/agent/templates/clusterrole.yaml b/charts/agent/templates/clusterrole.yaml index e5056b4..6215426 100644 --- a/charts/agent/templates/clusterrole.yaml +++ b/charts/agent/templates/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if .Values.serviceAccount.create -}} +{{- if and .Values.serviceAccount.create .Values.serviceAccount.role.create (eq .Values.serviceAccount.role.scope "cluster") (not .Values.serviceAccount.role.import) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/agent/templates/clusterrolebinding.yaml b/charts/agent/templates/clusterrolebinding.yaml index ac5429e..da9bdfe 100644 --- a/charts/agent/templates/clusterrolebinding.yaml +++ b/charts/agent/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.serviceAccount.create -}} +{{- if and .Values.serviceAccount.create .Values.serviceAccount.role.create (eq .Values.serviceAccount.role.scope "cluster") }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -9,6 +9,10 @@ subjects: namespace: {{ .Values.namespace }} roleRef: kind: ClusterRole + {{- if .Values.serviceAccount.role.import }} + name: {{ .Values.serviceAccount.role.name }} + {{- else }} name: {{ include "agent.serviceAccountName" . }}-role + {{- end }} apiGroup: rbac.authorization.k8s.io {{- end }} \ No newline at end of file diff --git a/charts/agent/templates/role.yaml b/charts/agent/templates/role.yaml new file mode 100644 index 0000000..0f30b4d --- /dev/null +++ b/charts/agent/templates/role.yaml @@ -0,0 +1,9 @@ +{{- if and .Values.serviceAccount.create .Values.serviceAccount.role.create (eq .Values.serviceAccount.role.scope "namespace") (not .Values.serviceAccount.role.import) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "agent.serviceAccountName" . }}-role + namespace: {{ .Values.namespace }} +rules: + {{- toYaml .Values.serviceAccount.role.rules | nindent 3 }} +{{- end }} \ No newline at end of file diff --git a/charts/agent/templates/rolebinding.yaml b/charts/agent/templates/rolebinding.yaml new file mode 100644 index 0000000..54c1aa0 --- /dev/null +++ b/charts/agent/templates/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.serviceAccount.create .Values.serviceAccount.role.create (eq .Values.serviceAccount.role.scope "namespace") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Values.serviceAccount.name }}-binding + namespace: {{ .Values.namespace }} +subjects: + - kind: ServiceAccount + name: {{ .Values.serviceAccount.name }} + namespace: {{ .Values.namespace }} +roleRef: + kind: Role + {{- if .Values.serviceAccount.role.import }} + name: {{ .Values.serviceAccount.role.name }} + {{- else }} + name: {{ include "agent.serviceAccountName" . }}-role + {{- end }} + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/charts/agent/values.yaml b/charts/agent/values.yaml index 9796e3c..9a4d9a1 100644 --- a/charts/agent/values.yaml +++ b/charts/agent/values.yaml @@ -36,6 +36,17 @@ serviceAccount: annotations: {} name: nullplatform-agent role: + # Whether to create RBAC resources at all + create: true + + # Scope: 'cluster' for ClusterRole/ClusterRoleBinding or 'namespace' for Role/RoleBinding + scope: cluster + + # Import existing role instead of creating new one + import: false + name: "" + + # Rules for the role (only used when creating new role) rules: - apiGroups: - '*'