Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / f9f0beec8492e05a459bd7080ad095b4cf9292bc / . / charts / jenkins / templates / rbac.yaml
blob: 581cb8d48d1c4891c92347377db9af7aaf4f4121 [file] [log] [blame]
Giorgi Lekveishvili35982662024-04-05 13:05:40 +0400[diff] [blame]1{{ if .Values.rbac.create }}
2{{- $serviceName := include "jenkins.fullname" . -}}
3
4# This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
5apiVersion: rbac.authorization.k8s.io/v1
6kind: Role
7metadata:
8 name: {{ $serviceName }}-schedule-agents
9 namespace: {{ template "jenkins.agent.namespace" . }}
10 labels:
11 "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
12 {{- if .Values.renderHelmLabels }}
13 "helm.sh/chart": "{{ template "jenkins.label" .}}"
14 {{- end }}
15 "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
16 "app.kubernetes.io/instance": "{{ .Release.Name }}"
17 "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
18rules:
19- apiGroups: [""]
20 resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
21 verbs: ["get", "list", "watch"]
22- apiGroups: [""]
23 resources: ["pods", "pods/exec", "persistentvolumeclaims"]
24 verbs: ["create", "delete", "deletecollection", "patch", "update"]
25
26---
27
28# We bind the role to the Jenkins service account. The role binding is created in the namespace
29# where the agents are supposed to run.
30apiVersion: rbac.authorization.k8s.io/v1
31kind: RoleBinding
32metadata:
33 name: {{ $serviceName }}-schedule-agents
34 namespace: {{ template "jenkins.agent.namespace" . }}
35 labels:
36 "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
37 {{- if .Values.renderHelmLabels }}
38 "helm.sh/chart": "{{ template "jenkins.label" .}}"
39 {{- end }}
40 "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
41 "app.kubernetes.io/instance": "{{ .Release.Name }}"
42 "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
43roleRef:
44 apiGroup: rbac.authorization.k8s.io
45 kind: Role
46 name: {{ $serviceName }}-schedule-agents
47subjects:
48- kind: ServiceAccount
49 name: {{ template "jenkins.serviceAccountName" .}}
50 namespace: {{ template "jenkins.namespace" . }}
51
52---
53
54{{- if .Values.rbac.readSecrets }}
55# This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
56# as it needs permissions to get/watch/list Secrets
57apiVersion: rbac.authorization.k8s.io/v1
58kind: Role
59metadata:
60 name: {{ template "jenkins.fullname" . }}-read-secrets
61 namespace: {{ template "jenkins.namespace" . }}
62 labels:
63 "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
64 {{- if .Values.renderHelmLabels }}
65 "helm.sh/chart": "{{ template "jenkins.label" .}}"
66 {{- end }}
67 "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
68 "app.kubernetes.io/instance": "{{ .Release.Name }}"
69 "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
70rules:
71 - apiGroups: [""]
72 resources: ["secrets"]
73 verbs: ["get", "watch", "list"]
74
75---
76
77apiVersion: rbac.authorization.k8s.io/v1
78kind: RoleBinding
79metadata:
80 name: {{ $serviceName }}-read-secrets
81 namespace: {{ template "jenkins.namespace" . }}
82 labels:
83 "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
84 {{- if .Values.renderHelmLabels }}
85 "helm.sh/chart": "{{ template "jenkins.label" .}}"
86 {{- end }}
87 "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
88 "app.kubernetes.io/instance": "{{ .Release.Name }}"
89 "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
90roleRef:
91 apiGroup: rbac.authorization.k8s.io
92 kind: Role
93 name: {{ template "jenkins.fullname" . }}-read-secrets
94subjects:
95 - kind: ServiceAccount
96 name: {{ template "jenkins.serviceAccountName" . }}
97 namespace: {{ template "jenkins.namespace" . }}
98
99---
100{{- end}}
101
102{{- if .Values.controller.sidecars.configAutoReload.enabled }}
103# The sidecar container which is responsible for reloading configuration changes
104# needs permissions to watch ConfigMaps
105apiVersion: rbac.authorization.k8s.io/v1
106kind: Role
107metadata:
108 name: {{ template "jenkins.fullname" . }}-casc-reload
109 namespace: {{ template "jenkins.namespace" . }}
110 labels:
111 "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
112 {{- if .Values.renderHelmLabels }}
113 "helm.sh/chart": "{{ template "jenkins.label" .}}"
114 {{- end }}
115 "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
116 "app.kubernetes.io/instance": "{{ .Release.Name }}"
117 "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
118rules:
119- apiGroups: [""]
120 resources: ["configmaps"]
121 verbs: ["get", "watch", "list"]
122
123---
124
125apiVersion: rbac.authorization.k8s.io/v1
126kind: RoleBinding
127metadata:
128 name: {{ $serviceName }}-watch-configmaps
129 namespace: {{ template "jenkins.namespace" . }}
130 labels:
131 "app.kubernetes.io/name": '{{ template "jenkins.name" .}}'
132 {{- if .Values.renderHelmLabels }}
133 "helm.sh/chart": "{{ template "jenkins.label" .}}"
134 {{- end }}
135 "app.kubernetes.io/managed-by": "{{ .Release.Service }}"
136 "app.kubernetes.io/instance": "{{ .Release.Name }}"
137 "app.kubernetes.io/component": "{{ .Values.controller.componentName }}"
138roleRef:
139 apiGroup: rbac.authorization.k8s.io
140 kind: Role
141 name: {{ template "jenkins.fullname" . }}-casc-reload
142subjects:
143- kind: ServiceAccount
144 name: {{ template "jenkins.serviceAccountName" . }}
145 namespace: {{ template "jenkins.namespace" . }}
146
147{{- end}}
148
149{{ end }}