diff --git a/sonobuoy/templates/serviceaccount-readonly.yaml b/sonobuoy/templates/serviceaccount-readonly.yaml new file mode 100644 index 00000000..913db39e --- /dev/null +++ b/sonobuoy/templates/serviceaccount-readonly.yaml @@ -0,0 +1,108 @@ +{{/* +Copyright 2019 The Openstack-Helm Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* +Enabling this manifest enables the usage of a ServiceAccount with +readonly permissions for Sonobuoy plugins that mount the created +token. + +To use this readonly ServiceAccount mount the ServiceAccountToken in +`values.yaml` like: + +``` +conf: + plugins: + - name: plugin-needing-readonly.yaml + data: | + sonobuoy-config: + driver: Job + plugin-name: plugin-needing-readonly + result-type: plugin-needing-readonly + spec: + name: plugin-needing-readonly + image: "plugin-needing-readonly:latest" + imagePullPolicy: "IfNotPresent" + volumeMounts: + - mountPath: /tmp/results + name: results + readOnly: false + - name: readonly-token + # It's recommended to use this mountPath to overwrite the + # Sonobuoy service account credentials that are mounted + # by default in the plugin containers to prevent plugins + # from accidentally using credentials with full permissions. + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + extra-volumes: + - name: readonly-token + secret: + secretName: sonobuoy-readonly-serviceaccount-token-secret +``` + +After mounting the readonly token, the example at +https://github.com/kubernetes-client/python/tree/3fb2be14e18d84edef094bbd908b6bb3e39aafe6#example +may be referenced to list pods, etc. +*/}} + +{{- if .Values.manifests.serviceaccount_readonly }} +{{- $envAll := . }} + +{{- $serviceAccountName := "sonobuoy-readonly-serviceaccount" }} +{{ tuple $envAll "sonobuoy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sonobuoy-readonly-clusterrole +rules: +- apiGroups: + - "*" + resources: + - "*" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sonobuoy-readonly-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: sonobuoy-readonly-clusterrole +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ $serviceAccountName }}-token-secret + namespace: {{ .Release.Namespace }} + annotations: + kubernetes.io/service-account.name: {{ $serviceAccountName }} + {{/* + post-install hook is required to cause ServiceAccount to be deployed + before creating a secret token for it. By default helm deploys secrets + before ServiceAccounts which causes this secret to not exist since the + ServiceAccount is missing. + */}} + "helm.sh/hook": "post-install" +--- +{{- end }} diff --git a/sonobuoy/values.yaml b/sonobuoy/values.yaml index 01fc1b2a..e272cedb 100644 --- a/sonobuoy/values.yaml +++ b/sonobuoy/values.yaml @@ -97,6 +97,7 @@ manifests: pod_api: true secret_etc: true secret_keystone: true + serviceaccount_readonly: false conf: publish_results: true