Skip to content

Commit

Permalink
EKS IDP roles added reader (#1089)
Browse files Browse the repository at this point in the history
  • Loading branch information
@goruha
goruha authored Aug 1, 2024
1 parent ffd1fb6 commit 2198e8e
Show file tree
Hide file tree
Showing 5 changed files with 76 additions and 2 deletions.
4 changes: 2 additions & 2 deletions modules/eks/idp-roles/charts/idp-roles/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0
version: 0.2.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
# follow Semantic Versioning. They should reflect the version the application is using.
# It is recommended to use it with quotes.
appVersion: "0.1.0"
appVersion: "0.2.0"
42 changes: 42 additions & 0 deletions modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader-extra.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: "{{ .Values.reader_cluster_role }}-extra"
labels:
rbac.authorization.k8s.io/aggregate-to-reader: "true"
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- get
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- get
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- list
- get
- apiGroups:
- karpenter.k8s.aws
resources:
- ec2nodeclasses
verbs:
- list
- get
- apiGroups:
- karpenter.sh
resources:
- nodepools
verbs:
- list
- get
12 changes: 12 additions & 0 deletions modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Values.reader_cluster_role | quote }}
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-observer: "true"
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-reader: "true"
15 changes: 15 additions & 0 deletions modules/eks/idp-roles/charts/idp-roles/templates/clusterrolebinding-reader.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Values.reader_crb_name | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Values.reader_cluster_role | quote }}
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: {{ .Values.reader_client_role | quote }}
- apiGroup: rbac.authorization.k8s.io
kind: User
name: {{ .Values.reader_client_role | quote }}
5 changes: 5 additions & 0 deletions modules/eks/idp-roles/charts/idp-roles/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,3 +27,8 @@ poweruser_client_role: "idp:poweruser"
observer_crb_name: "idp-observer"
observer_cluster_role: "idp-observer"
observer_client_role: "idp:observer"

# Reader
reader_crb_name: "idp-reader"
reader_cluster_role: "idp-reader"
reader_client_role: "idp:reader"

0 comments on commit 2198e8e

Please sign in to comment.