Gitiles
Code Review Sign In
gerrit.nordix.org / onap / oom / 0ed8a25190a34f5b5ac7d1702ca79165b8628375 / . / kubernetes / common / roles-wrapper / templates / role.yaml
blob: 0be6c7bbd62fdd37e634cc0c895a5d97e18423b5 [file] [log] [blame]
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]1{{/*
2# Copyright © 2020 Orange
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15*/}}
16
17{{- $dot := . -}}
18{{- range $role_type := $dot.Values.roles }}
19---
20apiVersion: rbac.authorization.k8s.io/v1
21kind: Role
22metadata:
23 name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }}
24 namespace: {{ include "common.namespace" $dot }}
25rules:
26{{- if eq $role_type "read" }}
27- apiGroups:
28 - "" # "" indicates the core API group
29 - apps
30 - batch
31 - extensions
32 resources:
33 - pods
34 - deployments
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]35 - deployments/status
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]36 - jobs
37 - jobs/status
38 - statefulsets
39 - replicasets
40 - replicasets/status
41 - daemonsets
42 verbs:
43 - get
44 - watch
45 - list
46{{- else }}
47{{- if eq $role_type "create" }}
48- apiGroups:
49 - "" # "" indicates the core API group
50 - apps
51 - batch
52 - extensions
53 resources:
54 - pods
55 - deployments
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]56 - deployments/status
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]57 - jobs
58 - jobs/status
59 - statefulsets
60 - replicasets
61 - replicasets/status
62 - daemonsets
63 - secrets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]64 - services
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]65 verbs:
66 - get
67 - watch
68 - list
69- apiGroups:
70 - "" # "" indicates the core API group
71 - apps
72 resources:
73 - statefulsets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]74 - configmaps
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]75 verbs:
76 - patch
77- apiGroups:
78 - "" # "" indicates the core API group
79 - apps
80 resources:
81 - deployments
82 - secrets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]83 - services
84 - pods
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]85 verbs:
86 - create
87- apiGroups:
88 - "" # "" indicates the core API group
89 - apps
90 resources:
91 - pods
92 - persistentvolumeclaims
93 - secrets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]94 - deployments
95 - services
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]96 verbs:
97 - delete
98- apiGroups:
99 - "" # "" indicates the core API group
100 - apps
101 resources:
102 - pods/exec
103 verbs:
104 - create
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]105- apiGroups:
106 - cert-manager.io
107 resources:
108 - certificates
109 verbs:
110 - create
111 - delete
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]112{{- else }}
113# if you don't match read or create, then you're not allowed to use API
114# except to see basic information about yourself
115- apiGroups:
116 - authorization.k8s.io
117 resources:
118 - selfsubjectaccessreviews
119 - selfsubjectrulesreviews
120 verbs:
121 - create
122{{- end }}
123{{- end }}
124{{- end }}