Merge "namespace-config: Grant access to existing PSP"

namespace-config/Chart.yaml

@@ -15,6 +15,6 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Namespace Config
 name: namespace-config
-version: 0.1.0
+version: 0.1.1
 home: https://kubernetes.io/docs/concepts/policy/limit-range/
 ...

namespace-config/templates/psp-rbac.yaml

@@ -0,0 +1,29 @@
+{{- if (not (empty .Values.podSecurityPolicy.existingPsp)) -}}
+{{- $name := printf "psp:%s:%s" .Release.Name .Values.podSecurityPolicy.existingPsp -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $name }}
+subjects:
+- kind: Group
+  name: system:serviceaccounts:{{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ $name }}
+rules:
+- apiGroups:
+  - policy
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+  resourceNames:
+  - {{ .Values.podSecurityPolicy.existingPsp }}
+{{- end -}}

namespace-config/values.yaml

@@ -24,4 +24,10 @@ limits:
     defaultRequest:
       cpu: 0.1
       memory: 64Mi
+
+podSecurityPolicy:
+  # Optionally specify the name of an existing pod security policy.
+  # If specified, a role and rolebinding will be created granting access for
+  # service accounts in this namespace to use existingPsp.
+  existingPsp: ""
 ...

releasenotes/notes/namespace-config.yaml

@@ -1,4 +1,5 @@
 ---
 namespace-config:
   - 0.1.0 Initial Chart
+  - 0.1.1 Grant access to existing PodSecurityPolicy
 ...