Skip to content

Commit

Permalink
feat(cloudnative-pg): add user facing roles view and edit (#39)
Browse files Browse the repository at this point in the history
  • Loading branch information
NaPs authored Aug 23, 2023
1 parent 39c99bc commit 107ffe8
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 0 deletions.
1 change: 1 addition & 0 deletions charts/cloudnative-pg/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ CloudNativePG Helm Chart
| podLabels | object | `{}` | Labels to be added to the pod. |
| podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod. |
| priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. |
| rbac.aggregateClusterRoles | bool | `false` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |
| rbac.create | bool | `true` | Specifies whether ClusterRole and ClusterRoleBinding should be created. |
| replicaCount | int | `1` | |
| resources | object | `{}` | |
Expand Down
50 changes: 50 additions & 0 deletions charts/cloudnative-pg/templates/rbac.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -380,4 +380,54 @@ subjects:
- kind: ServiceAccount
name: {{ include "cloudnative-pg.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cloudnative-pg.fullname" . }}-view
labels:
{{- include "cloudnative-pg.labels" . | nindent 4 }}
{{- if .Values.rbac.aggregateClusterRoles }}
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- end }}
rules:
- apiGroups:
- postgresql.cnpg.io
resources:
- backups
- clusters
- poolers
- scheduledbackups
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "cloudnative-pg.fullname" . }}-edit
labels:
{{- include "cloudnative-pg.labels" . | nindent 4 }}
{{- if .Values.rbac.aggregateClusterRoles }}
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
{{- end }}
rules:
- apiGroups:
- postgresql.cnpg.io
resources:
- backups
- clusters
- poolers
- scheduledbackups
verbs:
- create
- delete
- deletecollection
- patch
- update
---
{{- end }}
3 changes: 3 additions & 0 deletions charts/cloudnative-pg/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,9 @@
"properties": {
"create": {
"type": "boolean"
},
"aggregateClusterRoles": {
"type": "boolean"
}
}
},
Expand Down
3 changes: 3 additions & 0 deletions charts/cloudnative-pg/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ serviceAccount:
rbac:
# -- Specifies whether ClusterRole and ClusterRoleBinding should be created.
create: true
# -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
# Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
aggregateClusterRoles: false

# -- Annotations to be added to all other resources.
commonAnnotations: {}
Expand Down

0 comments on commit 107ffe8

Please sign in to comment.