woodpecker/charts/woodpecker-agent/templates/role.yaml

{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.rbac.create) -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "woodpecker-agent.serviceAccountName" . }}
  labels:
    {{- include "woodpecker-agent.labels" . | nindent 4 }}
    {{- with .Values.serviceAccount.rbac.role.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.serviceAccount.rbac.role.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
rules:
  - apiGroups: [''] # '' indicates core apiGroup (don't remove)
    resources: ['persistentvolumeclaims']
    verbs: ['create','delete']
  - apiGroups: ['']
    resources: ['services']
    verbs: ['create','delete']
  - apiGroups: ['']
    resources:
      - pods
      - pods/log
    verbs: ['watch','create','delete','get','list']
{{- end }}
Add RBAC to helm chart (#1373) This PR fixes #1367 with the minimum needed (plus the basics of annotations and labels, since some clusters need those for extra verifications, OPA, Kyverno, etc.). The added role is the minimum access I could get away with (tested each verb and resource individually), since the Kubernetes go library seems to use list and get even when not strictly necessary. I've defaulted to inactive, setting the serviceAccount.rbac.create=true will create the Role and roleBinding. The changes only affect the woodpecker-agent chart, as the woodpecker-server chart currently does nothing directly # Tests - [x] non default namespace (roleBindung uses namespace in a not automatically rewritten position) - [x] rbac.create enabled and disabled (nothing changes for disabled, since the templates use a guard) - [x] custom serviceAccount name - [x] both roleBinding and role with no annotations, no lables, single a&l, multiple each - [x] helm deploy to Kubernetes, with all settings mentioned above # Documentation Added in the comments of the values.yaml. Taking it into the docs might be helpful, but the Kubernetes section in the next docs is fairly empty, possibly open a new issue and solve when the chart for next is mostly done. 2022-10-30 21:47:58 +00:00			`{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.rbac.create) -}}`
			`apiVersion: rbac.authorization.k8s.io/v1`
			`kind: Role`
			`metadata:`
			`name: {{ include "woodpecker-agent.serviceAccountName" . }}`
			`labels:`
			`{{- include "woodpecker-agent.labels" . \| nindent 4 }}`
			`{{- with .Values.serviceAccount.rbac.role.labels }}`
			`{{- toYaml . \| nindent 4 }}`
			`{{- end }}`
			`{{- with .Values.serviceAccount.rbac.role.annotations }}`
			`annotations:`
			`{{- toYaml . \| nindent 4 }}`
			`{{- end }}`
			`rules:`
			`- apiGroups: [''] # '' indicates core apiGroup (don't remove)`
			`resources: ['persistentvolumeclaims']`
			`verbs: ['create','delete']`
			`- apiGroups: ['']`
			`resources: ['services']`
			`verbs: ['create','delete']`
			`- apiGroups: ['']`
			`resources:`
			`- pods`
			`- pods/log`
			`verbs: ['watch','create','delete','get','list']`
			`{{- end }}`