penguin/webhook-freedns
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed some more rbac issues, v2022.03.15

Browse Source
This commit is contained in:
斟酌 鵬兄
2022-03-15 01:39:12 +09:00
parent c2272e3816
commit 4fe54aabf0
5 changed files with 140 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
deploy/freedns-webhook/templates/rbac.yaml
View File

@@ -8,6 +8,45 @@ metadata:
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "freedns-webhook.fullname" . }}:secret-read
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "freedns-webhook.name" . }}
chart: {{ include "freedns-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- ''
resources:
- 'secrets'
verbs:
- 'get'
---
# Grant the webhook permission to read the secret
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "freedns-webhook.fullname" . }}:secret-read
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "freedns-webhook.name" . }}
chart: {{ include "freedns-webhook.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "freedns-webhook.fullname" . }}:secret-read
subjects:
- apiGroup: ""
kind: ServiceAccount
name: {{ include "freedns-webhook.fullname" . }}
namespace: {{ .Release.Namespace }}
---
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
# apiserver's requestheader-ca-certificate.
# This ConfigMap is automatically created by the Kubernetes apiserver.