truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-02-10 05:46:45 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
e8e998f81e94de23d92f0973b82f182b35e141cd
chart/library/common/docs/rbac.md
Stavros Kois 929e60d801 NAS-121003 / 23.10 / Adapt charts CI and improve/fix common (#1011) 
* Adapt charts CI and improve/fix common

* add check on permissions contaienr

* add postgres template

* update comments

* Update create_app.sh

* add check

* update script

* auto gen item.yaml from Chart,yaml

* rename readme on dest

* duplicate readme from the same source

* correct comment

* reoder

* remove extra space

* keep both README and app-readme

* update regex, to also allow 2 letter names, which is also valid

* No need to check host network if there aren't any pod values

* use same pattern as the pod.name label (not prepending release-name

* update deps

* add chart dirs to ci

* Add a validation to check if there is any yaml errors after merging files

* update charts path on ci

* common/1.0.0/ -> common/

* update common-test dep path

* temp update create_app script

* make permissions container name configurable, incase we want to change order of execution

* update naming convention

* fix typo and a missed name change

* do not allow `--` in names
2023-03-16 17:36:19 +02:00

92 lines
5.3 KiB
Markdown
Raw Blame History

# RBAC
| Key | Type | Required | Helm Template | Default | Description |
| :--------------------------------------- | :-------: | :------: | :----------------: | :-----: | :------------------------------------------------------------------------ |
| rbac | `dict` | ❌ | ❌ | `{}` | Define the rbac as dicts |
| rbac.[rbac-name] | `dict` | ✅ | ❌ | `{}` | Holds rbac definition |
| rbac.[rbac-name].enabled | `boolean` | ✅ | ❌ | `false` | Enables or Disables the rbac |
| rbac.[rbac-name].primary | `boolean` | ❌ | ❌ | `false` | Sets the rbac as primary |
| rbac.[rbac-name].clusterWide | `boolean` | ❌ | ❌ | `false` | Sets the rbac as cluster wide (ClusterRole, ClusterRoleBinding) |
| rbac.[rbac-name].labels | `dict` | ❌ | ✅ (On value only) | `{}` | Additional labels for rbac |
| rbac.[rbac-name].annotations | `dict` | ❌ | ✅ (On value only) | `{}` | Additional annotations for rbac |
| rbac.[rbac-name].allServiceAccounts | `boolean` | ❌ | ❌ | | Whether to assign all service accounts or not to the (Cluster)RoleBinding |
| rbac.[rbac-name].serviceAccounts | `list` | ❌ | ❌ | `[]` | Define the service account(s) to assign the (Cluster)RoleBinding |
| rbac.[rbac-name].rules | `list` | ✅ | ❌ | `[]` | Define the `rules` for the (Cluster)Role |
| rbac.[rbac-name].rules.apiGroups | `list` | ✅ | ❌ | `[]` | Define the `apiGroups` list for the `rules` for the (Cluster)Role |
| rbac.[rbac-name].rules.apiGroups.[entry] | `string` | ✅ | ✅ | | Entry of the `apiGroups` |
| rbac.[rbac-name].rules.resources | `list` | ✅ | ❌ | `[]` | Define the `resources` list for the `rules` for the (Cluster)Role |
| rbac.[rbac-name].rules.resources.[entry] | `string` | ✅ | ✅ | | Entry of the `resources` |
| rbac.[rbac-name].rules.verbs | `list` | ✅ | ❌ | `[]` | Define the `verbs` list for the `rules` for the (Cluster)Role |
| rbac.[rbac-name].rules.verbs.[entry] | `string` | ✅ | ✅ | | Entry of the `verbs` |
| rbac.[rbac-name].subjects | `list` | ❌ | ❌ | `[]` | Define `subjects` for (Cluster)RoleBinding |
| rbac.[rbac-name].subjects.kind | `string` | ✅ | ✅ | `""` | Define the `kind` of `subjects` entry |
| rbac.[rbac-name].subjects.name | `string` | ✅ | ✅ | `""` | Define the `name` of `subjects` entry |
| rbac.[rbac-name].subjects.apiGroup | `string` | ✅ | ✅ | `""` | Define the `apiGroup` of `subjects` entry |
> When `allServiceAccounts` is `true`, it will assign the all the serviceAccount(s) to the (Cluster)RoleBinding (`serviceAccounts` is ignored in this case)
> When `serviceAccounts` is a list, each entry is a string with the serviceAccount name that will be assigned to the (Cluster)RoleBinding. Can have multiple entries.
> When `serviceAccounts` is a empty, it will assign the primary serviceAccount to the primary rbac
---
Appears in:
- `.Values.rbac`
---
Naming scheme:
- Primary: `$FullName` (release-name-chart-name)
- Non-Primary: `$FullName-$RBACName` (release-name-chart-name-RBACName)
---
Examples:
```yaml
rbac:
rbac-name:
enabled: true
primary: true
clusterWide: true
labels:
key: value
keytpl: "{{ .Values.some.value }}"
annotations:
key: value
keytpl: "{{ .Values.some.value }}"
allServiceAccounts: true
rules:
- apiGroups:
- ""
resources:
- "{{ .Values.some.value }}"
verbs:
- get
- "{{ .Values.some.value }}"
- watch
subjects:
- kind: my-kind
name: "{{ .Values.some.value }}"
apiGroup: my-api-group
other-rbac-name:
enabled: true
serviceAccounts:
- service-account-name
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
subjects:
- kind: my-kind
name: my-name
apiGroup: my-api-group
```
Reference in New Issue View Git Blame Copy Permalink