Ensure postgresclusters are available to admin/edit/view clusterroles

See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles Signed-off-by: Mathieu Parent <math.parent@gmail.com>
CrunchyData · Apr 29, 2022 · d7f0c8b · d7f0c8b
1 parent 6e91c1d
commit d7f0c8b
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 0 deletions.
diff --git a/helm/install/templates/clusterrole-aggregate-edit.yaml b/helm/install/templates/clusterrole-aggregate-edit.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.createAggregateRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-aggregate-edit
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
diff --git a/helm/install/templates/clusterrole-aggregate-view.yaml b/helm/install/templates/clusterrole-aggregate-view.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.createAggregateRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-aggregate-view
+  labels:
+    {{- include "install.labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}
diff --git a/helm/install/values.yaml b/helm/install/values.yaml
@@ -36,3 +36,7 @@ debug: true
 # imagePullSecretNames is a list of secret names to use for pulling controller images.
 # More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
 imagePullSecretNames: []
+
+# Create aggregated ClusterRoles
+# See https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
+createAggregateRoles: true
diff --git a/kustomize/install/rbac/cluster/clusterrole-aggregate-edit.yaml b/kustomize/install/rbac/cluster/clusterrole-aggregate-edit.yaml
@@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-operator-aggregate-edit
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/kustomize/install/rbac/cluster/clusterrole-aggregate-view.yaml b/kustomize/install/rbac/cluster/clusterrole-aggregate-view.yaml
@@ -0,0 +1,17 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-operator-aggregate-view
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+- apiGroups:
+  - postgres-operator.crunchydata.com
+  resources:
+  - postgresclusters
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/kustomize/install/rbac/cluster/kustomization.yaml b/kustomize/install/rbac/cluster/kustomization.yaml
@@ -5,3 +5,5 @@ resources:
 - service_account-upgrade.yaml
 - role-upgrade.yaml
 - role_binding-upgrade.yaml
+- clusterrole-aggregate-edit.yaml
+- clusterrole-aggregate-view.yaml