Gitiles
Code Review Sign In
gerrit.nordix.org / onap / oom / 8cbb3d9b964b774b1400df5d909913b669c2a243 / . / kubernetes / common / roles-wrapper / templates / role.yaml
blob: 3438b6e36eaeacdd95067dfbc602c44cb3f28100 [file] [log] [blame]
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]1{{/*
2# Copyright © 2020 Orange
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15*/}}
16
17{{- $dot := . -}}
18{{- range $role_type := $dot.Values.roles }}
19---
20apiVersion: rbac.authorization.k8s.io/v1
21kind: Role
22metadata:
23 name: {{ printf "%s-%s" (include "common.release" $dot) $role_type }}
24 namespace: {{ include "common.namespace" $dot }}
25rules:
26{{- if eq $role_type "read" }}
27- apiGroups:
28 - "" # "" indicates the core API group
29 - apps
30 - batch
31 - extensions
32 resources:
Andreas Geissler822bcb42023-12-08 08:48:20 +0100[diff] [blame]33 - endpoints
34 - services
35 - nodes
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]36 - pods
37 - deployments
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]38 - deployments/status
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]39 - jobs
40 - jobs/status
41 - statefulsets
42 - replicasets
43 - replicasets/status
44 - daemonsets
45 verbs:
46 - get
47 - watch
48 - list
49{{- else }}
50{{- if eq $role_type "create" }}
51- apiGroups:
52 - "" # "" indicates the core API group
53 - apps
54 - batch
55 - extensions
56 resources:
57 - pods
58 - deployments
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]59 - deployments/status
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]60 - jobs
61 - jobs/status
62 - statefulsets
63 - replicasets
64 - replicasets/status
65 - daemonsets
66 - secrets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]67 - services
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]68 verbs:
69 - get
70 - watch
71 - list
72- apiGroups:
73 - "" # "" indicates the core API group
74 - apps
75 resources:
76 - statefulsets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]77 - configmaps
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]78 verbs:
79 - patch
80- apiGroups:
81 - "" # "" indicates the core API group
82 - apps
83 resources:
84 - deployments
85 - secrets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]86 - services
87 - pods
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]88 verbs:
89 - create
90- apiGroups:
91 - "" # "" indicates the core API group
92 - apps
93 resources:
94 - pods
95 - persistentvolumeclaims
96 - secrets
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]97 - deployments
98 - services
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]99 verbs:
100 - delete
101- apiGroups:
102 - "" # "" indicates the core API group
103 - apps
104 resources:
105 - pods/exec
106 verbs:
107 - create
farida azmy37481802021-04-11 15:41:32 +0200[diff] [blame]108- apiGroups:
109 - cert-manager.io
110 resources:
111 - certificates
112 verbs:
113 - create
114 - delete
Sylvain Desbureaux6f4e8c02021-04-19 15:26:15 +0200[diff] [blame]115{{- else }}
116# if you don't match read or create, then you're not allowed to use API
117# except to see basic information about yourself
118- apiGroups:
119 - authorization.k8s.io
120 resources:
121 - selfsubjectaccessreviews
122 - selfsubjectrulesreviews
123 verbs:
124 - create
125{{- end }}
126{{- end }}
127{{- end }}