151 lines
4.4 KiB
YAML
151 lines
4.4 KiB
YAML
{{ if .Values.rbac.create }}
|
|
{{- $serviceName := include "jenkins.fullname" . -}}
|
|
|
|
# This role is used to allow Jenkins scheduling of agents via Kubernetes plugin.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ $serviceName }}-schedule-agents
|
|
namespace: {{ template "jenkins.agent.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["pods", "pods/exec", "pods/log", "persistentvolumeclaims", "events"]
|
|
verbs: ["get", "list", "watch"]
|
|
- apiGroups: [""]
|
|
resources: ["pods", "pods/exec", "persistentvolumeclaims"]
|
|
verbs: ["create", "delete", "deletecollection", "patch", "update"]
|
|
|
|
---
|
|
|
|
# We bind the role to the Jenkins service account. The role binding is created in the namespace
|
|
# where the agents are supposed to run.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ $serviceName }}-schedule-agents
|
|
namespace: {{ template "jenkins.agent.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ $serviceName }}-schedule-agents
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ template "jenkins.serviceAccountName" .}}
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
|
|
---
|
|
|
|
{{- if .Values.rbac.readSecrets }}
|
|
# This is needed if you want to use https://jenkinsci.github.io/kubernetes-credentials-provider-plugin/
|
|
# as it needs permissions to get/watch/list Secrets
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ template "jenkins.fullname" . }}-read-secrets
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["secrets"]
|
|
verbs: ["get", "watch", "list"]
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ $serviceName }}-read-secrets
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ template "jenkins.fullname" . }}-read-secrets
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ template "jenkins.serviceAccountName" . }}
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
|
|
---
|
|
{{- end}}
|
|
|
|
{{- if .Values.rbac.useOpenShiftNonRootSCC }}
|
|
# This is needed if you are running on OpenShift and using the default
|
|
# containerSecurityContext in the chart. It grants the Jenkins service account
|
|
# permission to use the "nonroot" and "nonroot-v2" SecurityContextConstraints.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ $serviceName }}-use-nonroot-scc
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: ["security.openshift.io"]
|
|
resources: ["securitycontextconstraints"]
|
|
resourceNames: ["nonroot", "nonroot-v2"]
|
|
verbs: ["use"]
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ $serviceName }}-use-nonroot-scc
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ template "jenkins.fullname" . }}-use-nonroot-scc
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ template "jenkins.serviceAccountName" . }}
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
|
|
---
|
|
{{- end}}
|
|
|
|
{{- if .Values.controller.sidecars.configAutoReload.enabled }}
|
|
# The sidecar container which is responsible for reloading configuration changes
|
|
# needs permissions to watch ConfigMaps
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ template "jenkins.fullname" . }}-casc-reload
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["configmaps"]
|
|
verbs: ["get", "watch", "list"]
|
|
|
|
---
|
|
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ $serviceName }}-watch-configmaps
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
labels:
|
|
{{- include "jenkins.labels" . | nindent 4 }}
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ template "jenkins.fullname" . }}-casc-reload
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ template "jenkins.serviceAccountName" . }}
|
|
namespace: {{ template "jenkins.namespace" . }}
|
|
|
|
{{- end}}
|
|
|
|
{{ end }}
|