feature: additional cluster roles for secretproviderclasses

Adding Admin and Viewer cluster roles, aggregaring to default "admin" and "view" ClusterRoles. Fixes kubernetes-sigs#835
anapsix · Jan 11, 2022 · 98bf1f1 · 98bf1f1
1 parent aada382
commit 98bf1f1
Show file tree

Hide file tree

Showing 4 changed files with 90 additions and 0 deletions.
diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml
@@ -0,0 +1,25 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: secretproviderclasses-admin-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{ end }}
diff --git a/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml b/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml
@@ -0,0 +1,20 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: secretproviderclasses-viewer-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+{{ end }}
diff --git a/...t_staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml b/...t_staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-admin.yaml
@@ -0,0 +1,25 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+  name: secretproviderclasses-admin-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+{{ end }}
diff --git a/..._staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml b/..._staging/charts/secrets-store-csi-driver/templates/role-secretproviderclasses-viewer.yaml
@@ -0,0 +1,20 @@
+{{ if .Values.rbac.install }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+  name: secretproviderclasses-viewer-role
+rules:
+- apiGroups:
+  - secrets-store.csi.x-k8s.io
+  resources:
+  - secretproviderclasses
+  verbs:
+  - get
+  - list
+  - watch
+{{ end }}