Merge pull request #513 from Bregor/features/rbac

vdice · web-flow · commit 20bbfb1676dd · 2017-05-31T14:10:44.000-06:00
RBAC support
diff --git a/charts/builder/templates/_helpers.tmpl b/charts/builder/templates/_helpers.tmpl
@@ -0,0 +1,10 @@
+{{/*
+Set apiVersion based on Kubernetes version
+*/}}
+{{- define "rbacAPIVersion" -}}
+{{- if ge .Capabilities.KubeVersion.Minor "6" -}}
+rbac.authorization.k8s.io/v1beta1
+{{- else -}}
+rbac.authorization.k8s.io/v1alpha1
+{{- end -}}
+{{- end -}}
diff --git a/charts/builder/templates/builder-clusterrole.yaml b/charts/builder/templates/builder-clusterrole.yaml
@@ -0,0 +1,15 @@
+{{- if (.Values.global.use_rbac) -}}
+{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
+kind: ClusterRole
+apiVersion: {{ template "rbacAPIVersion" . }}
+metadata:
+  name: deis:deis-builder
+  labels:
+    app: deis-builder
+    heritage: deis
+rules:
+- apiGroups: [""]
+  resources: ["namespaces"]
+  verbs: ["list"]
+{{- end -}}
+{{- end -}}
diff --git a/charts/builder/templates/builder-clusterrolebinding.yaml b/charts/builder/templates/builder-clusterrolebinding.yaml
@@ -0,0 +1,19 @@
+{{- if (.Values.global.use_rbac) -}}
+{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
+kind: ClusterRoleBinding
+apiVersion: {{ template "rbacAPIVersion" . }}
+metadata:
+  name: deis:deis-builder
+  labels:
+    app: deis-builder
+    heritage: deis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: deis:deis-builder
+subjects:
+- kind: ServiceAccount
+  name: deis-builder
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}
diff --git a/charts/builder/templates/builder-role.yaml b/charts/builder/templates/builder-role.yaml
@@ -0,0 +1,21 @@
+{{- if (.Values.global.use_rbac) -}}
+{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
+kind: Role
+apiVersion: {{ template "rbacAPIVersion" . }}
+metadata:
+  name: deis-builder
+  labels:
+    app: deis-builder
+    heritage: deis
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create", "update", "delete"]
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["create", "get", "watch", "list"]
+- apiGroups: [""]
+  resources: ["pods/log"]
+  verbs: ["get"]
+{{- end -}}
+{{- end -}}
diff --git a/charts/builder/templates/builder-rolebinding.yaml b/charts/builder/templates/builder-rolebinding.yaml
@@ -0,0 +1,18 @@
+{{- if (.Values.global.use_rbac) -}}
+{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
+kind: RoleBinding
+apiVersion: {{ template "rbacAPIVersion" . }}
+metadata:
+  name: deis-builder
+  labels:
+    app: deis-builder
+    heritage: deis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: deis-builder
+subjects:
+- kind: ServiceAccount
+  name: deis-builder
+{{- end -}}
+{{- end -}}
diff --git a/charts/builder/values.yaml b/charts/builder/values.yaml
@@ -12,3 +12,5 @@ global:
   # - true: The deis controller will now create Kubernetes ingress rules for each app, and ingress rules will automatically be created for the controller itself.
   # - false: The default mode, and the default behavior of Deis workflow.
   experimental_native_ingress: false
+  # Role-Based Access Control for Kubernetes >= 1.5
+  use_rbac: false
