truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-02-09 21:37:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e8e998f81e94de23d92f0973b82f182b35e141cd
chart/library/common/docs/rbac.md
Stavros Kois 929e60d801 NAS-121003 / 23.10 / Adapt charts CI and improve/fix common (#1011) 
* Adapt charts CI and improve/fix common

* add check on permissions contaienr

* add postgres template

* update comments

* Update create_app.sh

* add check

* update script

* auto gen item.yaml from Chart,yaml

* rename readme on dest

* duplicate readme from the same source

* correct comment

* reoder

* remove extra space

* keep both README and app-readme

* update regex, to also allow 2 letter names, which is also valid

* No need to check host network if there aren't any pod values

* use same pattern as the pod.name label (not prepending release-name

* update deps

* add chart dirs to ci

* Add a validation to check if there is any yaml errors after merging files

* update charts path on ci

* common/1.0.0/ -> common/

* update common-test dep path

* temp update create_app script

* make permissions container name configurable, incase we want to change order of execution

* update naming convention

* fix typo and a missed name change

* do not allow `--` in names
2023-03-16 17:36:19 +02:00

5.3 KiB
Raw Blame History

RBAC

Key Type Required Helm Template Default Description
rbac dict {} Define the rbac as dicts
rbac.[rbac-name] dict {} Holds rbac definition
rbac.[rbac-name].enabled boolean false Enables or Disables the rbac
rbac.[rbac-name].primary boolean false Sets the rbac as primary
rbac.[rbac-name].clusterWide boolean false Sets the rbac as cluster wide (ClusterRole, ClusterRoleBinding)
rbac.[rbac-name].labels dict (On value only) {} Additional labels for rbac
rbac.[rbac-name].annotations dict (On value only) {} Additional annotations for rbac
rbac.[rbac-name].allServiceAccounts boolean Whether to assign all service accounts or not to the (Cluster)RoleBinding
rbac.[rbac-name].serviceAccounts list [] Define the service account(s) to assign the (Cluster)RoleBinding
rbac.[rbac-name].rules list [] Define the rules for the (Cluster)Role
rbac.[rbac-name].rules.apiGroups list [] Define the apiGroups list for the rules for the (Cluster)Role
rbac.[rbac-name].rules.apiGroups.[entry] string Entry of the apiGroups
rbac.[rbac-name].rules.resources list [] Define the resources list for the rules for the (Cluster)Role
rbac.[rbac-name].rules.resources.[entry] string Entry of the resources
rbac.[rbac-name].rules.verbs list [] Define the verbs list for the rules for the (Cluster)Role
rbac.[rbac-name].rules.verbs.[entry] string Entry of the verbs
rbac.[rbac-name].subjects list [] Define subjects for (Cluster)RoleBinding
rbac.[rbac-name].subjects.kind string "" Define the kind of subjects entry
rbac.[rbac-name].subjects.name string "" Define the name of subjects entry
rbac.[rbac-name].subjects.apiGroup string "" Define the apiGroup of subjects entry

When allServiceAccounts is true, it will assign the all the serviceAccount(s) to the (Cluster)RoleBinding (serviceAccounts is ignored in this case) When serviceAccounts is a list, each entry is a string with the serviceAccount name that will be assigned to the (Cluster)RoleBinding. Can have multiple entries. When serviceAccounts is a empty, it will assign the primary serviceAccount to the primary rbac

Appears in:

  • .Values.rbac

Naming scheme:

  • Primary: $FullName (release-name-chart-name)
  • Non-Primary: $FullName-$RBACName (release-name-chart-name-RBACName)

Examples:

rbac:
  rbac-name:
    enabled: true
    primary: true
    clusterWide: true
    labels:
      key: value
      keytpl: "{{ .Values.some.value }}"
    annotations:
      key: value
      keytpl: "{{ .Values.some.value }}"
    allServiceAccounts: true
    rules:
      - apiGroups:
          - ""
        resources:
          - "{{ .Values.some.value }}"
        verbs:
          - get
          - "{{ .Values.some.value }}"
          - watch
    subjects:
      - kind: my-kind
        name: "{{ .Values.some.value }}"
        apiGroup: my-api-group

  other-rbac-name:
    enabled: true
    serviceAccounts:
      - service-account-name
    rules:
      - apiGroups:
          - ""
        resources:
          - pods
        verbs:
          - get
          - list
          - watch
    subjects:
      - kind: my-kind
        name: my-name
        apiGroup: my-api-group
Reference in New Issue View Git Blame Copy Permalink