Skip to content

suggestion of service account minPrivilege #32

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alexisdondon wants to merge 2 commits into
base: master
Choose a base branch
from
Open

suggestion of service account minPrivilege #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
87fef34
suggestion of service account minPrivilege
alexisdondon Apr 15, 2022
97b4b6d
chart version
alexisdondon Apr 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion charts/onyxia/Chart.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ type: application

# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
version: 3.1.0
version: 3.2.0

# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application.
Expand Down
33 changes: 33 additions & 0 deletions charts/onyxia/templates/cluster-role-binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,37 @@ subjects:
name: {{ include "onyxia.api.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}
{{- if .Values.serviceAccount.clusterMinPrivilege -}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: clusterMinPrivilegeRole
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "create"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings"]
verbs: ["create"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles"]
verbs: ["bind"]
resourceNames: ["admin","edit","view"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "onyxia.fullname" . }}
labels:
{{- include "onyxia.api.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: clusterMinPrivilegeRole
subjects:
- kind: ServiceAccount
name: {{ include "onyxia.api.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end -}}
{{- end -}}
5 changes: 4 additions & 1 deletion charts/onyxia/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,10 @@ imagePullSecrets: []
serviceAccount:
# Specifies whether a service account should be created
create: true
clusterAdmin: false # If true, give cluster admin permissions. Otherwise, be admin scoped to the namespace
clusterAdmin: false
clusterMinPrivilege: false
# If clusterAdmintrue, give cluster admin permissions. Otherwise, be admin scoped to the namespace
# If clusterMinPrivilege, try to stick to the minprileve neeeded by api
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
Expand Down