From 45589089104dca7a9c8ac02d574bfc3c8f343dc8 Mon Sep 17 00:00:00 2001 From: Sergey Nuzdhin Date: Tue, 19 Sep 2017 19:52:50 +0200 Subject: [PATCH 1/2] Create RBAC policy for cert-manager #34 --- README.md | 6 ++++-- docs/rbac.yaml | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 docs/rbac.yaml diff --git a/README.md b/README.md index 8b7ea843e..5cb5a8345 100644 --- a/README.md +++ b/README.md @@ -49,9 +49,11 @@ To deploy the latest version of cert-manager using Helm, run: $ helm install --name cert-manager --namespace kube-system contrib/charts/cert-manager ``` -**NOTE** +#### Deploy RBAC roles -* There are currently no official RBAC roles defined for cert-manager (see [#34](https://github.com/jetstack-experimental/cert-manager/issues/34)) +``` +$ kubectl create -f https://raw.githubusercontent.com/jetstack-experimental/cert-manager/master/docs/rbac.yaml +``` ### 2. Set up letsencrypt staging issuer diff --git a/docs/rbac.yaml b/docs/rbac.yaml new file mode 100644 index 000000000..808a49af1 --- /dev/null +++ b/docs/rbac.yaml @@ -0,0 +1,40 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cert-manager +rules: +- apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "issuers"] + verbs: ["get", "list", "watch", "update", "create"] +- apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "update", "create", "delete"] +- apiGroups: [""] + resources: ["events"] + verbs: ["get", "list", "watch", "update", "create", "patch"] +- apiGroups: [""] + resources: ["endpoints"] + verbs: ["get", "put", "create", "update", "list", "watch"] +- apiGroups: [""] + resources: ["services"] + verbs: ["list","watch","get", "create", "update", "delete"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["list","watch","get", "update", "delete", "create"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list","watch","update","create","delete", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cert-manager-binding + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager +subjects: +- namespace: default + kind: ServiceAccount + name: default From f9ae158a6e6b7091ce5d67c2d0170301e82d6757 Mon Sep 17 00:00:00 2001 From: James Munnelly Date: Thu, 21 Sep 2017 19:32:27 +0100 Subject: [PATCH 2/2] Clean up RBAC rules. Add rbac option to helm chart. --- .../cert-manager/templates/deployment.yaml | 2 + .../charts/cert-manager/templates/rbac.yaml | 42 +++++++++++++++++++ .../templates/serviceaccount.yaml | 9 ++++ contrib/charts/cert-manager/values.yaml | 3 ++ docs/rbac.yaml | 20 +++------ 5 files changed, 61 insertions(+), 15 deletions(-) create mode 100644 contrib/charts/cert-manager/templates/rbac.yaml create mode 100644 contrib/charts/cert-manager/templates/serviceaccount.yaml diff --git a/contrib/charts/cert-manager/templates/deployment.yaml b/contrib/charts/cert-manager/templates/deployment.yaml index 80a7585f0..09cb95979 100644 --- a/contrib/charts/cert-manager/templates/deployment.yaml +++ b/contrib/charts/cert-manager/templates/deployment.yaml @@ -15,6 +15,8 @@ spec: app: {{ template "name" . }} release: {{ .Release.Name }} spec: + serviceAccount: {{ template "fullname" . }} + serviceAccountName: {{ template "fullname" . }} containers: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" diff --git a/contrib/charts/cert-manager/templates/rbac.yaml b/contrib/charts/cert-manager/templates/rbac.yaml new file mode 100644 index 000000000..702d4caf0 --- /dev/null +++ b/contrib/charts/cert-manager/templates/rbac.yaml @@ -0,0 +1,42 @@ +{{- if .Values.rbac.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +rules: +- apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "issuers"] + verbs: ["*"] +- apiGroups: [""] + resources: ["secrets", "events", "endpoints", "services"] + verbs: ["*"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["*"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "watch", "create", "delete", "get"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "fullname" . }} +subjects: +- name: {{ template "fullname" . }} + namespace: {{ .Release.Namespace | quote }} + kind: ServiceAccount +{{- end -}} \ No newline at end of file diff --git a/contrib/charts/cert-manager/templates/serviceaccount.yaml b/contrib/charts/cert-manager/templates/serviceaccount.yaml new file mode 100644 index 000000000..b65d4c92a --- /dev/null +++ b/contrib/charts/cert-manager/templates/serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "fullname" . }} + labels: + app: {{ template "name" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} diff --git a/contrib/charts/cert-manager/values.yaml b/contrib/charts/cert-manager/values.yaml index c6c3e3e79..22487e13f 100644 --- a/contrib/charts/cert-manager/values.yaml +++ b/contrib/charts/cert-manager/values.yaml @@ -10,4 +10,7 @@ image: createCustomResource: true +rbac: + enabled: true + resources: {} diff --git a/docs/rbac.yaml b/docs/rbac.yaml index 808a49af1..7187e0f68 100644 --- a/docs/rbac.yaml +++ b/docs/rbac.yaml @@ -5,31 +5,21 @@ metadata: rules: - apiGroups: ["certmanager.k8s.io"] resources: ["certificates", "issuers"] - verbs: ["get", "list", "watch", "update", "create"] + verbs: ["*"] - apiGroups: [""] - resources: ["secrets"] - verbs: ["get", "list", "watch", "update", "create", "delete"] -- apiGroups: [""] - resources: ["events"] - verbs: ["get", "list", "watch", "update", "create", "patch"] -- apiGroups: [""] - resources: ["endpoints"] - verbs: ["get", "put", "create", "update", "list", "watch"] -- apiGroups: [""] - resources: ["services"] - verbs: ["list","watch","get", "create", "update", "delete"] + resources: ["secrets", "events", "endpoints", "services"] + verbs: ["*"] - apiGroups: ["extensions"] resources: ["ingresses"] - verbs: ["list","watch","get", "update", "delete", "create"] + verbs: ["*"] - apiGroups: ["batch"] resources: ["jobs"] - verbs: ["list","watch","update","create","delete", "get"] + verbs: ["list", "watch", "create", "delete", "get"] --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: name: cert-manager-binding - namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole