public_git
/
kubernetes-operator
mirror of https://github.com/jenkinsci/kubernetes-operator.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix WATCH_NAMESPACE in helm chart (#547) 

* Fix WATCH_NAMESPACE in helm chart

When applying the chart, the operator will now watch the correct
namespace. This required changes in roles and role bindings so that
the operator has access to both namespaces.

* Use Role instead of ClusterRole

Mitigates the risk of restrictions in creating ClusterRole in
multitenant k8s clusters.

* Update configuration-as-code version to 1.47
This commit is contained in:
Piotr Ryba 2021-04-27 15:36:09 +02:00 committed by GitHub
parent 07d2e5e129
commit 0d118bf046
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 158 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
chart/jenkins-operator/templates/_role.yaml Normal file
View File

@ -0,0 +1,132 @@
{{ define "jenkins-operator.role" }}
{{ $namespace := . }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins-operator
namespace: {{ $namespace }}
rules:
- apiGroups:
- ""
resources:
- services
- configmaps
- secrets
verbs:
- get
- create
- update
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- create
- update
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- create
- update
- list
- watch
- apiGroups:
- ""
resources:
- pods/portforward
verbs:
- create
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- pods/exec
verbs:
- "*"
- apiGroups:
- ""
resources:
- events
verbs:
- get
- watch
- list
- create
- patch
- apiGroups:
- apps
resourceNames:
- jenkins-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- jenkins.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- "route.openshift.io"
resources:
- routes
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- "image.openshift.io"
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- "build.openshift.io"
resources:
- builds
- buildconfigs
verbs:
- get
- list
- watch
{{ end }}

4
chart/jenkins-operator/templates/operator.yaml
View File

@ -34,9 +34,7 @@ spec:
args: []
env:
- name: WATCH_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
value: {{ .Values.jenkins.namespace }}
- name: POD_NAME
valueFrom:
fieldRef:

132
chart/jenkins-operator/templates/role.yaml
View File

@ -1,128 +1,4 @@
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins-operator
rules:
- apiGroups:
- ""
resources:
- services
- configmaps
- secrets
verbs:
- get
- create
- update
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- get
- create
- update
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
verbs:
- get
- create
- update
- list
- watch
- apiGroups:
- ""
resources:
- pods/portforward
verbs:
- create
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- pods/exec
verbs:
- "*"
- apiGroups:
- ""
resources:
- events
verbs:
- get
- watch
- list
- create
- patch
- apiGroups:
- apps
resourceNames:
- jenkins-operator
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- jenkins.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- list
- watch
- apiGroups:
- "route.openshift.io"
resources:
- routes
verbs:
- get
- list
- watch
- create
- update
- apiGroups:
- "image.openshift.io"
resources:
- imagestreams
verbs:
- get
- list
- watch
- apiGroups:
- "build.openshift.io"
resources:
- builds
- buildconfigs
verbs:
- get
- list
- watch
{{ template "jenkins-operator.role" .Release.Namespace }}
{{ if ne .Release.Namespace .Values.jenkins.namespace }}
{{ template "jenkins-operator.role" .Values.jenkins.namespace }}
{{ end }}

18
chart/jenkins-operator/templates/role_binding.yaml
View File

@ -3,10 +3,28 @@ kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins-operator
namespace: {{ .Release.Namespace }}
subjects:
- kind: ServiceAccount
name: jenkins-operator
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: jenkins-operator
apiGroup: rbac.authorization.k8s.io
{{ if ne .Release.Namespace .Values.jenkins.namespace }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: jenkins-operator
namespace: {{ .Values.jenkins.namespace }}
subjects:
- kind: ServiceAccount
name: jenkins-operator
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: jenkins-operator
apiGroup: rbac.authorization.k8s.io
{{ end }}

2
chart/jenkins-operator/values.yaml
View File

@ -73,7 +73,7 @@ jenkins:
# - name: job-dsl
# version: "1.77"
# - name: configuration-as-code
# version: "1.46"
# version: "1.47"
# - name: kubernetes-credentials-provider
# version: 0.15
basePlugins: