mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-31 03:45:17 +00:00
Code Activity

feat: add cluster role aggregation to cleanup controller (#5966)

Browse source 
* feat: add cluster role aggregation to cleanup controller

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* codegen

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* convention

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
This commit is contained in:
Charles-Edouard Brétéché 2023-01-10 22:54:27 +01:00 committed by GitHub
parent 2a22e8762a
commit 7781cb5718
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 52 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
charts/kyverno/templates/cleanup-controller/_helpers.tpl
View file

@ -31,6 +31,10 @@ app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}
{{- end -}}
{{- define "kyverno.cleanup-controller.roleName" -}}
{{ .Release.Name }}:cleanup-controller
{{- end -}}
{{/* Create the name of the service account to use */}}
{{- define "kyverno.cleanup-controller.serviceAccountName" -}}
{{- if .Values.cleanupController.rbac.create -}}

25
charts/kyverno/templates/cleanup-controller/clusterrole.yaml
View file

@ -3,7 +3,18 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.name" . }}:cleanup-controller
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
{{- include "kyverno.cleanup-controller.matchLabels" . | nindent 8 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" . }}:core
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
rules:
@ -53,7 +64,15 @@ rules:
- list
- update
- watch
{{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
{{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kyverno.cleanup-controller.roleName" $ }}:additional
labels:
{{- include "kyverno.cleanup-controller.labels" $ | nindent 4 }}
rules:
{{- range . }}
- apiGroups:
{{- toYaml .apiGroups | nindent 6 }}
@ -63,6 +82,6 @@ rules:
- delete
- list
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

4
charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml
View file

@ -3,13 +3,13 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kyverno.name" . }}:cleanup-controller
name: {{ template "kyverno.cleanup-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}

2
charts/kyverno/templates/cleanup-controller/role.yaml
View file

@ -3,7 +3,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}

4
charts/kyverno/templates/cleanup-controller/rolebinding.yaml
View file

@ -3,14 +3,14 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "kyverno.cleanup-controller.name" . }}
name: {{ template "kyverno.cleanup-controller.roleName" . }}
labels:
{{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
namespace: {{ template "kyverno.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "kyverno.cleanup-controller.name" . }}
name: {{ template "kyverno.cleanup-controller.roleName" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}

25
config/install.yaml
View file

@ -31446,6 +31446,23 @@ metadata:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/instance: kyverno
aggregationRule:
clusterRoleSelectors:
- matchLabels:
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/instance: kyverno
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:cleanup-controller:core
labels:
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
app.kubernetes.io/component: cleanup-controller
app.kubernetes.io/name: kyverno-cleanup-controller
app.kubernetes.io/instance: kyverno
rules:
- apiGroups:
- admissionregistration.k8s.io
@ -31700,7 +31717,7 @@ rules:
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno-cleanup-controller
name: kyverno:cleanup-controller
labels:
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
@ -31738,7 +31755,7 @@ subjects:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: kyverno-cleanup-controller
name: kyverno:cleanup-controller
labels:
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
@ -31812,7 +31829,7 @@ rules:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kyverno-cleanup-controller
name: kyverno:cleanup-controller
labels:
app.kubernetes.io/part-of: kyverno
app.kubernetes.io/version: latest
@ -31823,7 +31840,7 @@ metadata:
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kyverno-cleanup-controller
name: kyverno:cleanup-controller
subjects:
- kind: ServiceAccount
name: kyverno-cleanup-controller