RBAC: Update serviceaccount and k8s rbac for maas

This patch set brings the maas chart to be inline
with OSH* RBAC approach used in [0] and [1]

[0] https://review.openstack.org/#/c/526464/52
[1] https://review.openstack.org/#/c/529378/

Change-Id: I3138a0f6280ab7d8ca9c8088ae19ec0c2175292c
This commit is contained in:
Anthony Lin 2018-01-22 15:44:50 +00:00
parent c9e646c3dc
commit b664579d57
7 changed files with 48 additions and 0 deletions

View File

@ -19,6 +19,8 @@ limitations under the License.
{{- end -}}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.rack_controller }}
{{- $serviceAccountName := "maas-rack" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $mounts_maas_rack := .Values.pod.mounts.maas_rack }}
{{- $mounts_maas_rack_init := .Values.pod.mounts.maas_rack.init_container }}
---
@ -36,6 +38,7 @@ spec:
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "maas" "rack" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector:

View File

@ -16,6 +16,8 @@ limitations under the License.
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.bootstrap_admin_user }}
{{- $serviceAccountName := "maas-bootstrap-admin-user" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
@ -27,6 +29,7 @@ spec:
labels:
{{ tuple $envAll "maas" "bootstrap-admin-user" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}

View File

@ -16,6 +16,8 @@ limitations under the License.
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.db_init }}
{{- $serviceAccountName := "maas-db-init" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
@ -27,6 +29,7 @@ spec:
labels:
{{ tuple $envAll "maas" "db-init" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}

View File

@ -16,6 +16,8 @@ limitations under the License.
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.db_sync }}
{{- $serviceAccountName := "maas-db-sync" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
@ -27,6 +29,7 @@ spec:
labels:
{{ tuple $envAll "maas" "db-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}

View File

@ -17,6 +17,35 @@ limitations under the License.
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.export_api_key }}
{{- $initMounts := .Values.pod.mounts.export_api_key.export_api_key }}
{{- $serviceAccountName := "maas-export-api-key" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: {{ $serviceAccountName }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ $serviceAccountName }}
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ $envAll.Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
@ -28,6 +57,7 @@ spec:
labels:
{{ tuple $envAll "maas" "export-api-key" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}

View File

@ -16,6 +16,8 @@ limitations under the License.
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.import_resources }}
{{- $serviceAccountName := "maas-import-resources" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: batch/v1
kind: Job
@ -27,6 +29,7 @@ spec:
labels:
{{ tuple $envAll "maas" "import-resources" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
restartPolicy: OnFailure
nodeSelector:
{{ .Values.labels.region.node_selector_key }}: {{ .Values.labels.region.node_selector_value }}

View File

@ -15,6 +15,8 @@
{{- if .Values.manifests.region_statefulset }}
{{- $envAll := . }}
{{- $dependencies := .Values.dependencies.region_controller }}
{{- $serviceAccountName := "maas-region" }}
{{ tuple $envAll $dependencies $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
{{- $mounts_maas_region := .Values.pod.mounts.maas_region.maas_region }}
{{- $mounts_maas_region_init := .Values.pod.mounts.maas_region.init_container }}
---
@ -31,6 +33,7 @@ spec:
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
spec:
serviceAccountName: {{ $serviceAccountName }}
affinity:
{{ tuple $envAll "maas" "region" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
nodeSelector: