From b08f3448bd6a964bbfa431cd767024e2920d7ce6 Mon Sep 17 00:00:00 2001 From: Jared Rodriguez Date: Tue, 4 Feb 2020 11:38:09 -0600 Subject: [PATCH] [opsportal] add opsportal RBAC roles add kibana roles --- .../templates/ingress-opsportal-roles.yaml | 57 ++++++++++++++++++ stable/opsportal/templates/kibana-roles.yaml | 60 +++++++++++++++++++ stable/opsportal/values.yaml | 8 +++ 3 files changed, 125 insertions(+) create mode 100644 stable/opsportal/templates/ingress-opsportal-roles.yaml create mode 100644 stable/opsportal/templates/kibana-roles.yaml diff --git a/stable/opsportal/templates/ingress-opsportal-roles.yaml b/stable/opsportal/templates/ingress-opsportal-roles.yaml new file mode 100644 index 000000000..4e3de68d0 --- /dev/null +++ b/stable/opsportal/templates/ingress-opsportal-roles.yaml @@ -0,0 +1,57 @@ +{{- if .Values.opsportalRBAC.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "opsportal.fullname" . }}-admin + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- nonResourceURLs: + - {{ .Values.opsportalRBAC.path | trimSuffix "/"}} + - {{ .Values.opsportalRBAC.path | trimSuffix "/" }}/* + verbs: + - get + - head + - post + - put + - delete + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "opsportal.fullname" . }}-view + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- nonResourceURLs: + - {{ .Values.opsportalRBAC.path | trimSuffix "/"}} + - {{ .Values.opsportalRBAC.path | trimSuffix "/" }}/* + verbs: + - get + - head + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "opsportal.fullname" . }}-edit + labels: + app.kubernetes.io/managed-by: {{ .Release.Service | quote }} + app.kubernetes.io/instance: {{ .Release.Name | quote }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} +rules: +- nonResourceURLs: + - {{ .Values.opsportalRBAC.path | trimSuffix "/"}} + - {{ .Values.opsportalRBAC.path | trimSuffix "/" }}/* + verbs: + - get + - head + - post + - put +{{- end }} diff --git a/stable/opsportal/templates/kibana-roles.yaml b/stable/opsportal/templates/kibana-roles.yaml new file mode 100644 index 000000000..2d8e0188c --- /dev/null +++ b/stable/opsportal/templates/kibana-roles.yaml @@ -0,0 +1,60 @@ +## Kibana is deployed from an upstream chart so we must introduce a temporary +## cross application dependency +## This template should be removed in 1.4 https://jira.d2iq.com/browse/D2IQ-63746 +{{- if .Values.kibanaRBAC.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "opsportal.fullname" . }}-kibana-edit + lables: + app: {{ template "opsportal.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- nonResourceURLs: + - {{ .Values.kibanaRBAC.path | trimSuffix "/"}} + - {{ .Values.kibanaRBAC.path | trimSuffix "/" }}/* + verbs: + - get + - head + - post + - put + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "opsportal.fullname" . }}-kibana-admin + lables: + app: {{ template "opsportal.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- nonResourceURLs: + - {{ .Values.kibanaRBAC.path | trimSuffix "/"}} + - {{ .Values.kibanaRBAC.path | trimSuffix "/" }}/* + verbs: + - get + - head + - post + - put + - delete + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "opsportal.fullname" . }}-kibana-view + lables: + app: {{ template "opsportal.fullname" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +rules: +- nonResourceURLs: + - {{ .Values.kibanaRBAC.path | trimSuffix "/"}} + - {{ .Values.kibanaRBAC.path | trimSuffix "/" }}/* + verbs: + - get + - head +{{- end }} diff --git a/stable/opsportal/values.yaml b/stable/opsportal/values.yaml index 082034fc5..bd972cc42 100644 --- a/stable/opsportal/values.yaml +++ b/stable/opsportal/values.yaml @@ -74,3 +74,11 @@ kommander-ui: traefik.ingress.kubernetes.io/auth-type: forward traefik.ingress.kubernetes.io/auth-url: http://traefik-forward-auth-kubeaddons.kubeaddons.svc.cluster.local:4181/ traefik.ingress.kubernetes.io/auth-response-headers: X-Forwarded-User + +opsportalRBAC: + enabled: true + path: /ops/portal + +kibanaRBAC: + enabled: true + path: /ops/portal/kibana