mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-31 03:45:17 +00:00
feat: add view aggregated cluster role support (#6350)
* feat: add view aggregated cluster role support Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release note Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: treydock <tdockendorf@osc.edu>
This commit is contained in:
Charles-Edouard Brétéché
GitHub
parent
3653130806
commit
3331b13561
10 changed files with 95 additions and 14 deletions
|
|
@ -32,3 +32,5 @@ annotations:
|
||||||
description: no deployments can run with 0 replicas
|
description: no deployments can run with 0 replicas
|
||||||
- kind: changed
|
- kind: changed
|
||||||
description: change dashboard title of kyverno grafana dashboard
|
description: change dashboard title of kyverno grafana dashboard
|
||||||
|
- kind: added
|
||||||
|
description: view aggregated cluster role support
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{{/* vim: set filetype=mustache: */}}
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
|
||||||
{{- define "kyverno.rbac.labels" -}}
|
{{- define "kyverno.rbac.labels.admin" -}}
|
||||||
{{- template "kyverno.labels.merge" (list
|
{{- template "kyverno.labels.merge" (list
|
||||||
(include "kyverno.labels.common" .)
|
(include "kyverno.labels.common" .)
|
||||||
(include "kyverno.rbac.matchLabels" .)
|
(include "kyverno.rbac.matchLabels" .)
|
||||||
|
|
@ -8,6 +8,14 @@
|
||||||
) -}}
|
) -}}
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
|
{{- define "kyverno.rbac.labels.view" -}}
|
||||||
|
{{- template "kyverno.labels.merge" (list
|
||||||
|
(include "kyverno.labels.common" .)
|
||||||
|
(include "kyverno.rbac.matchLabels" .)
|
||||||
|
"rbac.authorization.k8s.io/aggregate-to-view: 'true'"
|
||||||
|
) -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "kyverno.rbac.matchLabels" -}}
|
{{- define "kyverno.rbac.matchLabels" -}}
|
||||||
{{- template "kyverno.labels.merge" (list
|
{{- template "kyverno.labels.merge" (list
|
||||||
(include "kyverno.matchLabels.common" .)
|
(include "kyverno.matchLabels.common" .)
|
||||||
|
|
@ -16,5 +24,5 @@
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
||||||
{{- define "kyverno.rbac.roleName" -}}
|
{{- define "kyverno.rbac.roleName" -}}
|
||||||
{{ .Release.Name }}:admin
|
{{ .Release.Name }}:rbac
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,9 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "kyverno.rbac.roleName" . }}:policies
|
name: {{ template "kyverno.rbac.roleName" . }}:admin:policies
|
||||||
labels:
|
labels:
|
||||||
{{- include "kyverno.rbac.labels" . | nindent 4 }}
|
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- kyverno.io
|
- kyverno.io
|
||||||
|
|
@ -21,4 +21,23 @@ rules:
|
||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kyverno.rbac.roleName" . }}:view:policies
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- kyverno.io
|
||||||
|
resources:
|
||||||
|
- cleanuppolicies
|
||||||
|
- clustercleanuppolicies
|
||||||
|
- policies
|
||||||
|
- clusterpolicies
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,9 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "kyverno.rbac.roleName" . }}:policyreports
|
name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports
|
||||||
labels:
|
labels:
|
||||||
{{- include "kyverno.rbac.labels" . | nindent 4 }}
|
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- wgpolicyk8s.io
|
- wgpolicyk8s.io
|
||||||
|
|
@ -19,4 +19,21 @@ rules:
|
||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- wgpolicyk8s.io
|
||||||
|
resources:
|
||||||
|
- policyreports
|
||||||
|
- clusterpolicyreports
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,9 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "kyverno.rbac.roleName" . }}:reports
|
name: {{ template "kyverno.rbac.roleName" . }}:admin:reports
|
||||||
labels:
|
labels:
|
||||||
{{- include "kyverno.rbac.labels" . | nindent 4 }}
|
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- kyverno.io
|
- kyverno.io
|
||||||
|
|
@ -21,4 +21,23 @@ rules:
|
||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kyverno.rbac.roleName" . }}:view:reports
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- kyverno.io
|
||||||
|
resources:
|
||||||
|
- admissionreports
|
||||||
|
- clusteradmissionreports
|
||||||
|
- backgroundscanreports
|
||||||
|
- clusterbackgroundscanreports
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
||||||
|
|
@ -2,9 +2,9 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: {{ template "kyverno.rbac.roleName" . }}:updaterequests
|
name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests
|
||||||
labels:
|
labels:
|
||||||
{{- include "kyverno.rbac.labels" . | nindent 4 }}
|
{{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- kyverno.io
|
- kyverno.io
|
||||||
|
|
@ -18,4 +18,20 @@ rules:
|
||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- watch
|
- watch
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests
|
||||||
|
labels:
|
||||||
|
{{- include "kyverno.rbac.labels.view" . | nindent 4 }}
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- kyverno.io
|
||||||
|
resources:
|
||||||
|
- updaterequests
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
{{- end -}}
|
{{- end -}}
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: kyverno:admin:policies
|
name: kyverno:rbac:admin:policies
|
||||||
labels:
|
labels:
|
||||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
rules:
|
rules:
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: kyverno:admin:policyreports
|
name: kyverno:rbac:admin:policyreports
|
||||||
labels:
|
labels:
|
||||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
rules:
|
rules:
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: kyverno:admin:reports
|
name: kyverno:rbac:admin:reports
|
||||||
labels:
|
labels:
|
||||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
rules:
|
rules:
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
||||||
name: kyverno:admin:updaterequests
|
name: kyverno:rbac:admin:updaterequests
|
||||||
labels:
|
labels:
|
||||||
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
rbac.authorization.k8s.io/aggregate-to-admin: "true"
|
||||||
rules:
|
rules:
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue