From d9cdf8a9b9f377e7b16c9a6e5eba7afc218e8a31 Mon Sep 17 00:00:00 2001 From: Anas El Barkani Date: Sun, 10 Apr 2022 18:28:36 +0200 Subject: [PATCH] changed scc rbac --- .../admission-webhooks/job-patch/role.yaml | 11 ---- .../job-patch/scc-rbac.yaml | 52 +++++++++++++++++++ .../admission-webhooks/job-patch/scc.yaml | 1 + 3 files changed, 53 insertions(+), 11 deletions(-) create mode 100644 charts/ingress-nginx/templates/admission-webhooks/job-patch/scc-rbac.yaml diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index a4b0440a2..795bac6b9 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -21,15 +21,4 @@ rules: verbs: - get - create -{{- if .Values.securityContextConstraints.enabled }} - - apiGroups: ['security.openshift.io'] - resources: ['securitycontextconstraints'] - verbs: ['use'] - resourceNames: - {{- with .Values.controller.admissionWebhooks.existingScc }} - - {{ . }} - {{- else }} - - {{ include "ingress-nginx.fullname" . }}-admission - {{- end }} -{{- end }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc-rbac.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc-rbac.yaml new file mode 100644 index 000000000..ee814ed94 --- /dev/null +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc-rbac.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.securityContextConstraints.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-scc + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +{{- if .Values.securityContextConstraints.enabled }} + - apiGroups: ['security.openshift.io'] + resources: ['securitycontextconstraints'] + verbs: ['use'] + resourceNames: + {{- with .Values.controller.admissionWebhooks.existingScc }} + - {{ . }} + {{- else }} + - {{ include "ingress-nginx.fullname" . }}-admission-scc + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "ingress-nginx.fullname" . }}-admission-scc + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "ingress-nginx.labels" . | nindent 4 }} + app.kubernetes.io/component: admission-webhook + {{- with .Values.controller.admissionWebhooks.patch.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "ingress-nginx.fullname" . }}-admission-scc +subjects: + - kind: ServiceAccount + name: {{ include "ingress-nginx.fullname" . }}-admission + namespace: {{ .Release.Namespace | quote }} +--- +{{- end }} \ No newline at end of file diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml index 0f8395452..b2fdac8b1 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml @@ -37,4 +37,5 @@ volumes: - projected - secret - downwardAPI +--- {{- end }}