ZeroDownTime/KubeZero
3
0
Fork 0
Code Issues 1 Pull Requests 26 Packages Projects Releases Wiki Activity
04063f8739
KubeZero/charts/kubezero-operators/charts/eck-operator/templates/role-bindings.yaml

81 lines
2.3 KiB
YAML
Raw Blame History

{{- $operatorNSIsManaged := has .Release.Namespace .Values.managedNamespaces -}}
{{- $fullName := include "eck-operator.fullname" . -}}
{{- $svcAccount := include "eck-operator.serviceAccountName" . }}
{{- if not .Values.createClusterScopedResources }}
{{- range .Values.managedNamespaces }}
{{- $namespace := . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: "{{ $fullName }}"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" $ | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ $fullName }}"
namespace: {{ $namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ $fullName }}"
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }} {{- /* end of range over managed namespaces */}}
{{- /* If createClusterScopedResources is false and operator namespace is not in the managed namespaces list, create additional role binding */}}
{{- if not $operatorNSIsManaged }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ $fullName }}
namespace: {{ $.Release.Namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
rules:
{{ template "eck-operator.rbacRules" $ | toYaml | indent 2 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: "{{ $fullName }}"
namespace: {{ $.Release.Namespace }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "{{ $fullName }}"
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }} {{- /* end of operator role binding if operator namespace is not managed */}}
{{- else }} {{- /* we can create cluster-scoped resources so just create a cluster role binding */}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ $fullName }}
labels:
{{- include "eck-operator.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ $fullName }}
subjects:
- kind: ServiceAccount
name: {{ $svcAccount }}
namespace: {{ $.Release.Namespace }}
{{- end }}
Reference in New Issue View Git Blame Copy Permalink