From ff4058def1e49451602694bf9aa916f115b0251e Mon Sep 17 00:00:00 2001 From: Maxim Filatov Date: Sun, 7 May 2017 19:33:05 +0300 Subject: [PATCH] RBAC support With this change deis-monitor-telegraf became available to work in RBAC-only clusters Works with both Kubernetes 1.5 and 1.6 (see templates/_helpers.tmpl for details) Actually tested with 1.5.7 and 1.6.2 ClusterRole allows deis-monitor-telegraf: - pods: get --- .../templates/monitor-telegraf-role.yaml | 15 +++++++++++++++ .../monitor-telegraf-rolebinding.yaml | 18 ++++++++++++++++++ charts/monitor/templates/_helpers.tmpl | 10 ++++++++++ charts/monitor/values.yaml | 2 ++ 4 files changed, 45 insertions(+) create mode 100644 charts/monitor/charts/telegraf/templates/monitor-telegraf-role.yaml create mode 100644 charts/monitor/charts/telegraf/templates/monitor-telegraf-rolebinding.yaml create mode 100644 charts/monitor/templates/_helpers.tmpl diff --git a/charts/monitor/charts/telegraf/templates/monitor-telegraf-role.yaml b/charts/monitor/charts/telegraf/templates/monitor-telegraf-role.yaml new file mode 100644 index 0000000..f5ab9b3 --- /dev/null +++ b/charts/monitor/charts/telegraf/templates/monitor-telegraf-role.yaml @@ -0,0 +1,15 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: Role +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis-monitor-telegraf + labels: + app: deis-monitor-telegraf + heritage: deis +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +{{- end -}} +{{- end -}} diff --git a/charts/monitor/charts/telegraf/templates/monitor-telegraf-rolebinding.yaml b/charts/monitor/charts/telegraf/templates/monitor-telegraf-rolebinding.yaml new file mode 100644 index 0000000..cb3e8be --- /dev/null +++ b/charts/monitor/charts/telegraf/templates/monitor-telegraf-rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if (.Values.global.use_rbac) -}} +{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}} +kind: RoleBinding +apiVersion: {{ template "rbacAPIVersion" . }} +metadata: + name: deis-monitor-telegraf + labels: + app: deis-monitor-telegraf + heritage: deis +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: deis-monitor-telegraf +subjects: +- kind: ServiceAccount + name: deis-monitor-telegraf +{{- end -}} +{{- end -}} diff --git a/charts/monitor/templates/_helpers.tmpl b/charts/monitor/templates/_helpers.tmpl new file mode 100644 index 0000000..0b9deb0 --- /dev/null +++ b/charts/monitor/templates/_helpers.tmpl @@ -0,0 +1,10 @@ +{{/* +Set apiVersion based on Kubernetes version +*/}} +{{- define "rbacAPIVersion" -}} +{{- if ge .Capabilities.KubeVersion.Minor "6" -}} +rbac.authorization.k8s.io/v1beta1 +{{- else -}} +rbac.authorization.k8s.io/v1alpha1 +{{- end -}} +{{- end -}} diff --git a/charts/monitor/values.yaml b/charts/monitor/values.yaml index d1240dc..8af5d8d 100644 --- a/charts/monitor/values.yaml +++ b/charts/monitor/values.yaml @@ -49,3 +49,5 @@ global: # - on-cluster: Run Redis within the Kubernetes cluster # - off-cluster: Run Redis outside the Kubernetes cluster (configure in loggerRedis section) logger_redis_location: "on-cluster" + # Role-Based Access Control for Kubernetes >= 1.5 + use_rbac: false