easzlab
/
kubeasz
mirror of https://github.com/easzlab/kubeasz.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

更新helm默认rbac设置

pull/206/merge
gjmzj 2018-05-27 11:00:12 +08:00
parent 2c6419a523
commit 68ecb6a23d
4 changed files with 74 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
roles/helm/defaults/main.yml
View File

@ -1,4 +1,4 @@
helm_namespace: helm-app helm_namespace: kube-system
helm_cert_cn: helm001 helm_cert_cn: helm001
tiller_sa: tiller tiller_sa: tiller
tiller_cert_cn: tiller001 tiller_cert_cn: tiller001

2
roles/helm/helm.yml
View File

@ -2,7 +2,7 @@
roles: roles:
- helm - helm
vars: vars:
helm_namespace: helm-app helm_namespace: kube-system
helm_cert_cn: helm001 helm_cert_cn: helm001
tiller_sa: tiller tiller_sa: tiller
tiller_cert_cn: tiller001 tiller_cert_cn: tiller001

29
roles/helm/templates/helm-rbac.yaml.j2
View File

@ -1,5 +1,5 @@
# 限制helm应用只允许部署在指定namespace # 绑定helm sa到 cluster-admin这样可以兼容现有需要集群特权的charts
# 可以配合NetworkPolicy等实现namespace间网络完全隔离 #
--- ---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
@ -12,26 +12,15 @@ metadata:
name: {{ tiller_sa }} name: {{ tiller_sa }}
namespace: {{ helm_namespace }} namespace: {{ helm_namespace }}
--- ---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata: metadata:
name: tiller-manager name: tiller-cb
namespace: {{ helm_namespace }} roleRef:
rules: apiGroup: rbac.authorization.k8s.io
- apiGroups: ["", "extensions", "apps"] kind: ClusterRole
resources: ["*"] name: cluster-admin
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: {{ helm_namespace }}
subjects: subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: {{ tiller_sa }} name: {{ tiller_sa }}
namespace: {{ helm_namespace }} namespace: {{ helm_namespace }}
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io

62
roles/helm/templates/strict-helm-rbac.yaml.j2 100644
View File

@ -0,0 +1,62 @@
# 限制helm应用只允许部署在指定namespace
# 可以配合NetworkPolicy等实现namespace间网络完全隔离
---
apiVersion: v1
kind: Namespace
metadata:
name: {{ helm_namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ tiller_sa }}
namespace: {{ helm_namespace }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-manager
namespace: {{ helm_namespace }}
rules:
- apiGroups: ["", "extensions", "apps"]
resources: ["*"]
verbs: ["*"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-binding
namespace: {{ helm_namespace }}
subjects:
- kind: ServiceAccount
name: {{ tiller_sa }}
namespace: {{ helm_namespace }}
roleRef:
kind: Role
name: tiller-manager
apiGroup: rbac.authorization.k8s.io
---
#
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-cluster-manager
rules:
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
- clusterroles
- clusterrolebindings
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller-cluster-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: tiller-cluster-manager
subjects:
- kind: ServiceAccount
name: {{ tiller_sa }}
namespace: {{ helm_namespace }}