openkruise
/
charts
mirror of https://github.com/openkruise/charts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add aggregate role (#133) 

* feat: add aggregate-to-xx roles

non cluster-admin user can't create/update/delete cloneset/statefulset
object,
according to [kubernetes aggregated
clusterrole](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles),
add clusterroles.

Signed-off-by: j4ckstraw <j4ckstraw@foxmail.com>
This commit is contained in:
j4ckstraw 2025-03-05 17:30:25 +08:00 committed by GitHub
parent 79e725cb0e
commit 8dca36c77a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 112 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
versions/kruise/1.8.0/Chart.yaml
View File

@ -1,7 +1,7 @@
apiVersion: v1 apiVersion: v1
name: kruise name: kruise
description: Helm chart for kruise components description: Helm chart for kruise components
version: 1.8.0 version: 1.8.1
appVersion: 1.8.0 appVersion: 1.8.0
kubeVersion: ">= 1.18.0-0" kubeVersion: ">= 1.18.0-0"
icon: https://openkruise.io/img/openkruise-logo-bg.jpg icon: https://openkruise.io/img/openkruise-logo-bg.jpg

111
versions/kruise/1.8.0/templates/rbac_role.yaml
View File

@ -951,3 +951,114 @@ subjects:
- kind: ServiceAccount - kind: ServiceAccount
name: kruise-daemon name: kruise-daemon
namespace: {{ .Values.installation.namespace }} namespace: {{ .Values.installation.namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-kruise-view
labels:
# Add these permissions to the "view" default role.
rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups: ["apps.kruise.io"]
resources:
- advancedcronjobs
- advancedcronjobs/status
- broadcastjobs
- broadcastjobs/status
- clonesets
- clonesets/scale
- clonesets/status
- containerrecreaterequests
- containerrecreaterequests/status
- daemonsets
- daemonsets/status
- imagelistpulljobs
- imagelistpulljobs/status
- imagepulljobs
- imagepulljobs/status
- nodeimages
- nodeimages/status
- nodepodprobes
- nodepodprobes/status
- persistentpodstates
- persistentpodstates/status
- podprobemarkers
- podprobemarkers/status
- sidecarsets
- sidecarsets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
- uniteddeployments
- uniteddeployments/scale
- uniteddeployments/status
- workloadspreads
- workloadspreads/status
verbs:
- get
- list
- watch
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-kruise-edit
labels:
# Add these permissions to the "admin" and "edit" default roles.
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups: ["apps.kruise.io"]
resources:
- advancedcronjobs
- broadcastjobs
- clonesets
- clonesets/scale
- containerrecreaterequests
- daemonsets
- imagelistpulljobs
- imagepulljobs
- nodeimages
- nodepodprobes
- persistentpodstates
- podprobemarkers
- sidecarsets
- statefulsets
- statefulsets/scale
- uniteddeployments
- uniteddeployments/scale
- workloadspreads
verbs:
- create
- delete
- deletecollection
- patch
- update
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-kruise-admin
labels:
# Add these permissions to the "admin" default roles.
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["apps.kruise.io"]
resources:
- resourcedistributions/status
verbs:
- get
- list
- watch
- apiGroups: ["apps.kruise.io"]
resources:
- resourcedistributions
verbs:
- get
- list
- watch
- create
- delete
- deletecollection
- patch
- update