changed scc rbac

2022-04-10 18:28:36 +02:00 · 2022-04-10 18:28:36 +02:00 · d9cdf8a9b9
commit d9cdf8a9b9
parent 4d27eb3a94
3 changed files with 53 additions and 11 deletions
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml
@ -21,15 +21,4 @@ rules:
    verbs:
      - get
      - create
-{{- if .Values.securityContextConstraints.enabled }}
-  - apiGroups: ['security.openshift.io']
-    resources: ['securitycontextconstraints']
-    verbs:     ['use']
-    resourceNames:
-    {{- with .Values.controller.admissionWebhooks.existingScc }}
-    - {{ . }}
-    {{- else }}
-    - {{ include "ingress-nginx.fullname" . }}-admission
-    {{- end }}
-{{- end }}
 {{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc-rbac.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc-rbac.yaml
@ -0,0 +1,52 @@
+{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.securityContextConstraints.enabled -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name:  {{ include "ingress-nginx.fullname" . }}-admission-scc
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+rules:
+{{- if .Values.securityContextConstraints.enabled }}
+  - apiGroups: ['security.openshift.io']
+    resources: ['securitycontextconstraints']
+    verbs:     ['use']
+    resourceNames:
+    {{- with .Values.controller.admissionWebhooks.existingScc }}
+    - {{ . }}
+    {{- else }}
+    - {{ include "ingress-nginx.fullname" . }}-admission-scc
+    {{- end }}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "ingress-nginx.fullname" . }}-admission-scc
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+  labels:
+    {{- include "ingress-nginx.labels" . | nindent 4 }}
+    app.kubernetes.io/component: admission-webhook
+    {{- with .Values.controller.admissionWebhooks.patch.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "ingress-nginx.fullname" . }}-admission-scc
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "ingress-nginx.fullname" . }}-admission
+    namespace: {{ .Release.Namespace | quote }}
+---
+{{- end }}
--- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml
+++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/scc.yaml
@ -37,4 +37,5 @@ volumes:
 - projected
 - secret
 - downwardAPI
+---
 {{- end }}