diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml index 8b9a91400..30fc70f51 100644 --- a/chart/templates/clusterrole.yaml +++ b/chart/templates/clusterrole.yaml @@ -1,8 +1,53 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role" metadata: name: {{ include "canary-checker.name" . }}-role rules: + {{- if .Values.serviceAccount.rbac.secrets}} + - apiGroups: + - v1 + resources: + - secrets + verbs: + - get + - list + {{- end}} + {{- if .Values.serviceAccount.rbac.configmaps}} + - apiGroups: + - v1 + resources: + - configmaps + verbs: + - get + - list + {{- end}} + {{- if .Values.serviceAccount.rbac.exec}} + - apiGroups: [""] + resources: + - pods/attach + - pods/exec + - pods/log + verbs: + - '*' + {{- end}} + {{- if .Values.serviceAccount.rbac.tokenRequest}} + - apiGroups: + - authentication.k8s.io/v1 + resources: + - serviceaccounts/token + verbs: + - create + {{- end}} + {{- if .Values.serviceAccount.rbac.readAll}} + - apiGroups: + - "*" + resources: + - "*" + verbs: + - list + - get + - watch + {{- end}} - apiGroups: - canaries.flanksource.com resources: @@ -25,6 +70,7 @@ rules: - get - patch - update + {{- if .Values.serviceAccount.rbac.podsCreateAndDelete}} # for creating and destroying pods during the pod canary test - apiGroups: - "" @@ -34,46 +80,40 @@ rules: - services verbs: - "*" + {{- end}} + {{- if .Values.serviceAccount.rbac.ingressCreateAndDelete }} - apiGroups: - - "metrics.k8s.io" + - "networking.k8s.io/v1" resources: - - pods - - nodes + - ingresses verbs: - "*" - # for getting the XML results from junit tests - apiGroups: - - "" + - "extensions" resources: - - pods/exec - - pods/log + - ingresses verbs: - "*" + {{- end}} + {{- if .Values.serviceAccount.rbac.namespaceCreateAndDelete }} - apiGroups: - - "" + - "v1" resources: - - nodes - verbs: - - get - - list - - apiGroups: - - "networking.k8s.io" - resources: - - ingresses + - namespaces verbs: - "*" + {{- end}} - apiGroups: - - "extensions" + - "metrics.k8s.io" resources: - - ingresses + - pods + - nodes verbs: - "*" - # for reading configuration from canaries - apiGroups: - "" resources: - - secrets - - configmaps + - nodes verbs: - get - list diff --git a/chart/templates/clusterrolebinding.yaml b/chart/templates/clusterrolebinding.yaml index 5087580cf..02d699968 100644 --- a/chart/templates/clusterrolebinding.yaml +++ b/chart/templates/clusterrolebinding.yaml @@ -1,10 +1,10 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding +kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}RoleBinding" metadata: name: {{ include "canary-checker.fullname" . }}-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io - kind: ClusterRole + kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role" name: {{ include "canary-checker.name" . }}-role subjects: - kind: ServiceAccount diff --git a/chart/values.yaml b/chart/values.yaml index 00259c4b0..df53d91ab 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -135,10 +135,29 @@ resources: memory: 2Gi serviceAccount: - {} # Configures extra annotations on the service account # annotations: # some: annotation + rbac: + # Whether to create cluster-wide or namespaced roles + cluster_role: false + + # for secret management with valueFrom + tokenRequest: true + secrets: true + configmaps: true + + # for use with kubernetes resource lookups + readAll: true + + # for pod and junit canaries + podsCreateAndDelete: true + + # for pod canary + ingressCreateAndDelete: true + + # for namespace canary + namespaceCreateAndDelete: true disableChecks: {}