Skip to content

Commit

Permalink
feat: add impersonate permissin to mission-control role
Browse files Browse the repository at this point in the history 
* Add mission-control-reader & mission-control-writer roles & bindings
  • Loading branch information
@adityathebe
adityathebe committed Jul 31, 2024
1 parent 841c71f commit f035cc2
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 1 deletion.
65 changes: 64 additions & 1 deletion chart/templates/rbac.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,9 +12,16 @@ metadata:
apiVersion: rbac.authorization.k8s.io/v1
kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
metadata:
creationTimestamp: null
name: {{ include "incident-commander.name" . }}-role
rules:
{{- if .Values.serviceAccount.rbac.impersonate}}
- apiGroups:
- ""
resources:
- users
verbs:
- impersonate
{{- end}}
- apiGroups:
- mission-control.flanksource.com
resources:
Expand Down Expand Up @@ -118,3 +125,59 @@ subjects:
- kind: ServiceAccount
name: {{.Values.serviceAccount.name}}
namespace: {{ .Release.Namespace }}
{{- if .Values.serviceAccount.rbac.impersonate}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
metadata:
name: 'mission-control-reader-role'
rules:
- apiGroups: ['']
resources: ['configmaps', 'secrets']
verbs: ['get', 'list', 'watch']
- apiGroups:
- 'configs.flanksource.com'
- 'canaries.flanksource.com'
- 'mission-control.flanksource.com'
resources: ['*']
verbs: ['get', 'list', 'watch']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
metadata:
name: 'mission-control-writer-role'
rules:
- apiGroups: ['']
resources: ['configmaps', 'secrets']
verbs: ['*']
- apiGroups:
- 'configs.flanksource.com'
- 'canaries.flanksource.com'
- 'mission-control.flanksource.com'
resources: ['*']
verbs: ['*']
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}RoleBinding
metadata:
name: 'mission-control-reader-role-binding'
subjects:
- kind: User
name: 'mission-control-reader'
roleRef:
kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
name: 'mission-control-reader-role'
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}RoleBinding
metadata:
name: 'mission-control-writer-role-binding'
subjects:
- kind: User
name: 'mission-control-writer'
roleRef:
kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
name: 'mission-control-writer-role'
apiGroup: rbac.authorization.k8s.io
{{- end}}
5 changes: 5 additions & 0 deletions chart/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ serviceAccount:
name: mission-control-sa
annotations: {}
rbac:
# Impersonate allows the service account to impersonate as
# - mission-control-reader-role
# - mission-control-writer-role
# This is used by kubeproxy.
impersonate: false
# Whether to create cluster-wide or namespaced roles
clusterRole: true
# for secret management with valueFrom
Expand Down

0 comments on commit f035cc2

Please sign in to comment.