mirror of https://github.com/easzlab/kubeasz.git
更新helm默认rbac设置
parent
2c6419a523
commit
68ecb6a23d
|
@ -1,4 +1,4 @@
|
|||
helm_namespace: helm-app
|
||||
helm_namespace: kube-system
|
||||
helm_cert_cn: helm001
|
||||
tiller_sa: tiller
|
||||
tiller_cert_cn: tiller001
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
roles:
|
||||
- helm
|
||||
vars:
|
||||
helm_namespace: helm-app
|
||||
helm_namespace: kube-system
|
||||
helm_cert_cn: helm001
|
||||
tiller_sa: tiller
|
||||
tiller_cert_cn: tiller001
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
# 限制helm应用只允许部署在指定namespace
|
||||
# 可以配合NetworkPolicy等实现namespace间网络完全隔离
|
||||
# 绑定helm sa到 cluster-admin,这样可以兼容现有需要集群特权的charts
|
||||
#
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
|
@ -12,26 +12,15 @@ metadata:
|
|||
name: {{ tiller_sa }}
|
||||
namespace: {{ helm_namespace }}
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: tiller-manager
|
||||
namespace: {{ helm_namespace }}
|
||||
rules:
|
||||
- apiGroups: ["", "extensions", "apps"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: tiller-binding
|
||||
namespace: {{ helm_namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ tiller_sa }}
|
||||
namespace: {{ helm_namespace }}
|
||||
name: tiller-cb
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: tiller-manager
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ tiller_sa }}
|
||||
namespace: {{ helm_namespace }}
|
||||
|
|
|
@ -0,0 +1,62 @@
|
|||
# 限制helm应用只允许部署在指定namespace
|
||||
# 可以配合NetworkPolicy等实现namespace间网络完全隔离
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: {{ helm_namespace }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: {{ tiller_sa }}
|
||||
namespace: {{ helm_namespace }}
|
||||
---
|
||||
kind: Role
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: tiller-manager
|
||||
namespace: {{ helm_namespace }}
|
||||
rules:
|
||||
- apiGroups: ["", "extensions", "apps"]
|
||||
resources: ["*"]
|
||||
verbs: ["*"]
|
||||
---
|
||||
kind: RoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: tiller-binding
|
||||
namespace: {{ helm_namespace }}
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ tiller_sa }}
|
||||
namespace: {{ helm_namespace }}
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: tiller-manager
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
---
|
||||
#
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: tiller-cluster-manager
|
||||
rules:
|
||||
- apiGroups: ["rbac.authorization.k8s.io"]
|
||||
resources:
|
||||
- clusterroles
|
||||
- clusterrolebindings
|
||||
verbs: ["*"]
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
metadata:
|
||||
name: tiller-cluster-binding
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: tiller-cluster-manager
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: {{ tiller_sa }}
|
||||
namespace: {{ helm_namespace }}
|
Loading…
Reference in New Issue