Removed secret-read permissions from pod
This commit is contained in:
@@ -29,6 +29,9 @@ spec:
|
||||
- --v=2
|
||||
- --tls-cert-file=/tls/tls.crt
|
||||
- --tls-private-key-file=/tls/tls.key
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: {{ include "freedns-webhook.fullname" . }}-auth
|
||||
env:
|
||||
- name: GROUP_NAME
|
||||
value: {{ .Values.groupName | quote }}
|
||||
|
||||
@@ -8,45 +8,6 @@ metadata:
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "freedns-webhook.name" . }}
|
||||
chart: {{ include "freedns-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ''
|
||||
resources:
|
||||
- 'secrets'
|
||||
verbs:
|
||||
- 'get'
|
||||
---
|
||||
# Grant the webhook permission to read the secret
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ include "freedns-webhook.name" . }}
|
||||
chart: {{ include "freedns-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: {{ include "freedns-webhook.fullname" . }}:secret-read
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: {{ include "freedns-webhook.fullname" . }}
|
||||
namespace: {{ .Release.Namespace }}
|
||||
---
|
||||
# Grant the webhook permission to read the ConfigMap containing the Kubernetes
|
||||
# apiserver's requestheader-ca-certificate.
|
||||
# This ConfigMap is automatically created by the Kubernetes apiserver.
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
data:
|
||||
FREEDNS_USERNAME: {{ required "Please provide the value of freedns.auth.FREEDNS_USERNAME" .Values.freedns.auth.FREEDNS_USERNAME | b64enc | quote }}
|
||||
FREEDNS_PASSWORD: {{ required "Please provide the value of freedns.auth.FREEDNS_PASSWORD" .Values.freedns.auth.FREEDNS_PASSWORD | b64enc | quote }}
|
||||
metadata:
|
||||
name: {{ include "freedns-webhook.fullname" . }}-auth
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
app: {{ include "freedns-webhook.name" . }}
|
||||
chart: {{ include "freedns-webhook.chart" . }}
|
||||
release: {{ .Release.Name }}
|
||||
heritage: {{ .Release.Service }}
|
||||
type: Opaque
|
||||
Reference in New Issue
Block a user