From 6e5f7e52ac075ad15a331dd09085207b7b4413fa Mon Sep 17 00:00:00 2001 From: Sam Clinckspoor Date: Tue, 13 Jun 2017 10:30:50 +0200 Subject: [PATCH 1/2] add rbac support --- stable/kube2iam/Chart.yaml | 2 +- stable/kube2iam/README.md | 1 + stable/kube2iam/templates/daemonset.yaml | 3 +++ stable/kube2iam/templates/role.yaml | 19 +++++++++++++++++++ stable/kube2iam/templates/rolebinding.yaml | 19 +++++++++++++++++++ stable/kube2iam/templates/serviceaccount.yaml | 11 +++++++++++ stable/kube2iam/values.yaml | 3 +++ 7 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 stable/kube2iam/templates/role.yaml create mode 100644 stable/kube2iam/templates/rolebinding.yaml create mode 100644 stable/kube2iam/templates/serviceaccount.yaml diff --git a/stable/kube2iam/Chart.yaml b/stable/kube2iam/Chart.yaml index f404e8c9336d..451a80fc4ec4 100644 --- a/stable/kube2iam/Chart.yaml +++ b/stable/kube2iam/Chart.yaml @@ -1,5 +1,5 @@ name: kube2iam -version: 0.2.1 +version: 0.2.2 description: Provide IAM credentials to pods based on annotations. keywords: - kube2iam diff --git a/stable/kube2iam/README.md b/stable/kube2iam/README.md index ce9b9996a1e9..b1a757732948 100644 --- a/stable/kube2iam/README.md +++ b/stable/kube2iam/README.md @@ -52,6 +52,7 @@ Parameter | Description | Default `podAnnotations` | annotations to be added to pods | `{}` `resources` | pod resource requests & limits | `{}` `verbose` | Enable verbose output | `false` +`rbac.enabled` | Enable role and serviceaccount creation | `false` Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, diff --git a/stable/kube2iam/templates/daemonset.yaml b/stable/kube2iam/templates/daemonset.yaml index e0fb0504f356..f54f5cf03918 100644 --- a/stable/kube2iam/templates/daemonset.yaml +++ b/stable/kube2iam/templates/daemonset.yaml @@ -18,6 +18,9 @@ spec: app: {{ template "name" . }} release: {{ .Release.Name }} spec: +{{- if .Values.rbac.enabled }} + serviceAccountName: {{ template "fullname" . }} +{{- end }} containers: - name: kube2iam image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/stable/kube2iam/templates/role.yaml b/stable/kube2iam/templates/role.yaml new file mode 100644 index 000000000000..b7c0b0ec168a --- /dev/null +++ b/stable/kube2iam/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "fullname" . }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - watch + - list +{{- end -}} diff --git a/stable/kube2iam/templates/rolebinding.yaml b/stable/kube2iam/templates/rolebinding.yaml new file mode 100644 index 000000000000..044c5664d9ad --- /dev/null +++ b/stable/kube2iam/templates/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/stable/kube2iam/templates/serviceaccount.yaml b/stable/kube2iam/templates/serviceaccount.yaml new file mode 100644 index 000000000000..35c9cd02de6e --- /dev/null +++ b/stable/kube2iam/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: {{ template "fullname" . }} +{{- end -}} diff --git a/stable/kube2iam/values.yaml b/stable/kube2iam/values.yaml index 578c81fd47ea..3ee4606a93b6 100644 --- a/stable/kube2iam/values.yaml +++ b/stable/kube2iam/values.yaml @@ -32,3 +32,6 @@ resources: {} # memory: 16Mi verbose: false + +rbac: + enabled: false From 73839e6b1be8caa90ef9f01db33ea89db9c3fcb1 Mon Sep 17 00:00:00 2001 From: Sam Clinckspoor Date: Fri, 30 Jun 2017 13:56:42 +0200 Subject: [PATCH 2/2] solve and edge-case when turning off rbac --- stable/kube2iam/templates/daemonset.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/stable/kube2iam/templates/daemonset.yaml b/stable/kube2iam/templates/daemonset.yaml index f54f5cf03918..a7e1ee6b32ba 100644 --- a/stable/kube2iam/templates/daemonset.yaml +++ b/stable/kube2iam/templates/daemonset.yaml @@ -20,6 +20,8 @@ spec: spec: {{- if .Values.rbac.enabled }} serviceAccountName: {{ template "fullname" . }} +{{- else }} + serviceAccountName: default {{- end }} containers: - name: kube2iam