From c0d99546cca5349e414f3d3b5fbc7d686fee39d9 Mon Sep 17 00:00:00 2001 From: Scott Nichols Date: Wed, 27 Sep 2017 15:34:45 -0700 Subject: [PATCH 1/6] Duplicating rbac definition for v1 api endpoint. --- charts/catalog/templates/rbac.yaml | 145 ++++++++++++++++++++++++++++- 1 file changed, 144 insertions(+), 1 deletion(-) diff --git a/charts/catalog/templates/rbac.yaml b/charts/catalog/templates/rbac.yaml index eb33105819c..98a4c953f19 100644 --- a/charts/catalog/templates/rbac.yaml +++ b/charts/catalog/templates/rbac.yaml @@ -1,4 +1,147 @@ -{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +apiVersion: v1 +kind: List +items: + +### API Server ### + +# TODO: if this is just for namespace lifecycle admission, move to a generic role +# the role for the apiserver +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "servicecatalog.k8s.io:apiserver" + # this rule defined on the role for specifically the + # namespace-lifecycle admission-controller + rules: + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +# API-server service-account gets its own role +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "servicecatalog.k8s.io:apiserver" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "servicecatalog.k8s.io:apiserver" + subjects: + - apiGroup: "" + kind: ServiceAccount + name: "{{ .Values.apiserver.serviceAccount }}" + namespace: "{{ .Release.Namespace }}" +# apiserver gets the auth-delegator role to delegate auth decisions to +# the core apiserver +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "servicecatalog.k8s.io:apiserver-auth-delegator" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:auth-delegator + subjects: + - apiGroup: "" + kind: ServiceAccount + name: "{{ .Values.apiserver.serviceAccount }}" + namespace: "{{ .Release.Namespace }}" +# apiserver gets the ability to read authentication. This allows it to +# read the specific configmap that has the requestheader-* entries to +# enable api aggregation +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: "servicecatalog.k8s.io:apiserver-authentication-reader" + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: extension-apiserver-authentication-reader + subjects: + - apiGroup: "" + kind: ServiceAccount + name: "{{ .Values.apiserver.serviceAccount }}" + namespace: "{{ .Release.Namespace }}" + +### Controller-Manager ### + +# controller-manager role defines what access the service-catalog +# controller-manager needs to manage the resources of the +# service-catalog +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: "servicecatalog.k8s.io:controller-manager" + rules: + - apiGroups: [""] + resources: ["events"] + verbs: ["create","patch","update"] + # TODO: do not grant global access, limit to particular secrets referenced from serviceinstancecredentials + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get","create","delete"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get","list","watch"] + # access to our service-catalog types + - apiGroups: ["servicecatalog.k8s.io"] + resources: ["serviceclasses"] + verbs: ["get","list","watch","create","patch","update","delete"] + - apiGroups: ["servicecatalog.k8s.io"] + resources: ["serviceplans"] + verbs: ["get","list","watch","create","patch","update","delete"] + - apiGroups: ["servicecatalog.k8s.io"] + resources: ["servicebrokers","serviceinstances","serviceinstancecredentials"] + verbs: ["get","list","watch"] + - apiGroups: ["servicecatalog.k8s.io"] + resources: ["servicebrokers/status","serviceinstances/status","serviceinstancecredentials/status"] + verbs: ["update"] +# give the controller-manager service account access to whats defined in its role. +- apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: "servicecatalog.k8s.io:controller-manager" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "servicecatalog.k8s.io:controller-manager" + subjects: + - apiGroup: "" + kind: ServiceAccount + name: "{{ .Values.controllerManager.serviceAccount }}" + namespace: "{{ .Release.Namespace }}" + +# This gives create/update access to an endpoint in kube-system for leader election +# TODO: use an object other than endpoints, and in the same namespace as the service catalog, not in kube-system +- apiVersion: rbac.authorization.k8s.io/v1 + kind: Role + metadata: + name: "servicecatalog.k8s.io:leader-locking-controller-manager" + namespace: kube-system + rules: + - apiGroups: [""] + resources: ["endpoints"] + verbs: ["create"] + - apiGroups: [""] + resources: ["endpoints"] + resourceNames: ["service-catalog-controller-manager"] + verbs: ["get","update"] +- apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: service-catalog-controller-manager + namespace: kube-system + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "servicecatalog.k8s.io:leader-locking-controller-manager" + subjects: + - apiGroup: "" + kind: ServiceAccount + name: "{{ .Values.controllerManager.serviceAccount }}" + namespace: "{{ .Release.Namespace }}" +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} apiVersion: v1 kind: List items: From 1b24d6b66e827e07cb0311bc62481efe5a64fc5a Mon Sep 17 00:00:00 2001 From: Scott Nichols Date: Wed, 27 Sep 2017 16:01:24 -0700 Subject: [PATCH 2/6] Now using a variable for version. --- charts/catalog/templates/rbac.yaml | 169 +++-------------------------- 1 file changed, 17 insertions(+), 152 deletions(-) diff --git a/charts/catalog/templates/rbac.yaml b/charts/catalog/templates/rbac.yaml index 98a4c953f19..7349262f8dc 100644 --- a/charts/catalog/templates/rbac.yaml +++ b/charts/catalog/templates/rbac.yaml @@ -1,156 +1,21 @@ -{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} -apiVersion: v1 -kind: List -items: - -### API Server ### - -# TODO: if this is just for namespace lifecycle admission, move to a generic role -# the role for the apiserver -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: "servicecatalog.k8s.io:apiserver" - # this rule defined on the role for specifically the - # namespace-lifecycle admission-controller - rules: - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get", "list", "watch"] -# API-server service-account gets its own role -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: "servicecatalog.k8s.io:apiserver" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "servicecatalog.k8s.io:apiserver" - subjects: - - apiGroup: "" - kind: ServiceAccount - name: "{{ .Values.apiserver.serviceAccount }}" - namespace: "{{ .Release.Namespace }}" -# apiserver gets the auth-delegator role to delegate auth decisions to -# the core apiserver -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: "servicecatalog.k8s.io:apiserver-auth-delegator" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:auth-delegator - subjects: - - apiGroup: "" - kind: ServiceAccount - name: "{{ .Values.apiserver.serviceAccount }}" - namespace: "{{ .Release.Namespace }}" -# apiserver gets the ability to read authentication. This allows it to -# read the specific configmap that has the requestheader-* entries to -# enable api aggregation -- apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: "servicecatalog.k8s.io:apiserver-authentication-reader" - namespace: kube-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: extension-apiserver-authentication-reader - subjects: - - apiGroup: "" - kind: ServiceAccount - name: "{{ .Values.apiserver.serviceAccount }}" - namespace: "{{ .Release.Namespace }}" - -### Controller-Manager ### - -# controller-manager role defines what access the service-catalog -# controller-manager needs to manage the resources of the -# service-catalog -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - name: "servicecatalog.k8s.io:controller-manager" - rules: - - apiGroups: [""] - resources: ["events"] - verbs: ["create","patch","update"] - # TODO: do not grant global access, limit to particular secrets referenced from serviceinstancecredentials - - apiGroups: [""] - resources: ["secrets"] - verbs: ["get","create","delete"] - - apiGroups: [""] - resources: ["namespaces"] - verbs: ["get","list","watch"] - # access to our service-catalog types - - apiGroups: ["servicecatalog.k8s.io"] - resources: ["serviceclasses"] - verbs: ["get","list","watch","create","patch","update","delete"] - - apiGroups: ["servicecatalog.k8s.io"] - resources: ["serviceplans"] - verbs: ["get","list","watch","create","patch","update","delete"] - - apiGroups: ["servicecatalog.k8s.io"] - resources: ["servicebrokers","serviceinstances","serviceinstancecredentials"] - verbs: ["get","list","watch"] - - apiGroups: ["servicecatalog.k8s.io"] - resources: ["servicebrokers/status","serviceinstances/status","serviceinstancecredentials/status"] - verbs: ["update"] -# give the controller-manager service account access to whats defined in its role. -- apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRoleBinding - metadata: - name: "servicecatalog.k8s.io:controller-manager" - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "servicecatalog.k8s.io:controller-manager" - subjects: - - apiGroup: "" - kind: ServiceAccount - name: "{{ .Values.controllerManager.serviceAccount }}" - namespace: "{{ .Release.Namespace }}" +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +{{- $apiVersion := "rbac.authorization.k8s.io/v1" -}} +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}} +{{- $apiVersion := "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- $apiVersion := "" -}} +{{- end -}} -# This gives create/update access to an endpoint in kube-system for leader election -# TODO: use an object other than endpoints, and in the same namespace as the service catalog, not in kube-system -- apiVersion: rbac.authorization.k8s.io/v1 - kind: Role - metadata: - name: "servicecatalog.k8s.io:leader-locking-controller-manager" - namespace: kube-system - rules: - - apiGroups: [""] - resources: ["endpoints"] - verbs: ["create"] - - apiGroups: [""] - resources: ["endpoints"] - resourceNames: ["service-catalog-controller-manager"] - verbs: ["get","update"] -- apiVersion: rbac.authorization.k8s.io/v1 - kind: RoleBinding - metadata: - name: service-catalog-controller-manager - namespace: kube-system - roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: "servicecatalog.k8s.io:leader-locking-controller-manager" - subjects: - - apiGroup: "" - kind: ServiceAccount - name: "{{ .Values.controllerManager.serviceAccount }}" - namespace: "{{ .Release.Namespace }}" -{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }} +{{- if $apiVersion }} apiVersion: v1 kind: List items: ### API Server ### - + # TODO: if this is just for namespace lifecycle admission, move to a generic role # the role for the apiserver -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: {{ $apiVersion }} kind: ClusterRole metadata: name: "servicecatalog.k8s.io:apiserver" @@ -161,7 +26,7 @@ items: resources: ["namespaces"] verbs: ["get", "list", "watch"] # API-server service-account gets its own role -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: {{ $apiVersion }} kind: ClusterRoleBinding metadata: name: "servicecatalog.k8s.io:apiserver" @@ -176,7 +41,7 @@ items: namespace: "{{ .Release.Namespace }}" # apiserver gets the auth-delegator role to delegate auth decisions to # the core apiserver -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: {{ $apiVersion }} kind: ClusterRoleBinding metadata: name: "servicecatalog.k8s.io:apiserver-auth-delegator" @@ -192,7 +57,7 @@ items: # apiserver gets the ability to read authentication. This allows it to # read the specific configmap that has the requestheader-* entries to # enable api aggregation -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: {{ $apiVersion }} kind: RoleBinding metadata: name: "servicecatalog.k8s.io:apiserver-authentication-reader" @@ -212,7 +77,7 @@ items: # controller-manager role defines what access the service-catalog # controller-manager needs to manage the resources of the # service-catalog -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: {{ $apiVersion }} kind: ClusterRole metadata: name: "servicecatalog.k8s.io:controller-manager" @@ -241,7 +106,7 @@ items: resources: ["servicebrokers/status","serviceinstances/status","serviceinstancecredentials/status"] verbs: ["update"] # give the controller-manager service account access to whats defined in its role. -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: {{ $apiVersion }} kind: ClusterRoleBinding metadata: name: "servicecatalog.k8s.io:controller-manager" @@ -257,7 +122,7 @@ items: # This gives create/update access to an endpoint in kube-system for leader election # TODO: use an object other than endpoints, and in the same namespace as the service catalog, not in kube-system -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: {{ $apiVersion }} kind: Role metadata: name: "servicecatalog.k8s.io:leader-locking-controller-manager" @@ -270,7 +135,7 @@ items: resources: ["endpoints"] resourceNames: ["service-catalog-controller-manager"] verbs: ["get","update"] -- apiVersion: rbac.authorization.k8s.io/v1beta1 +- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: service-catalog-controller-manager From 2d8bdee61029c6351154571b6dc0616e1257fb8f Mon Sep 17 00:00:00 2001 From: Scott Nichols Date: Thu, 28 Sep 2017 12:30:47 -0700 Subject: [PATCH 3/6] Fixing variable assignment. --- charts/catalog/templates/rbac.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/charts/catalog/templates/rbac.yaml b/charts/catalog/templates/rbac.yaml index 7349262f8dc..041fc6e3701 100644 --- a/charts/catalog/templates/rbac.yaml +++ b/charts/catalog/templates/rbac.yaml @@ -1,9 +1,8 @@ +{{- $apiVersion := "" -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} {{- $apiVersion := "rbac.authorization.k8s.io/v1" -}} {{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}} {{- $apiVersion := "rbac.authorization.k8s.io/v1beta1" -}} -{{- else -}} -{{- $apiVersion := "" -}} {{- end -}} {{- if $apiVersion }} @@ -135,7 +134,7 @@ items: resources: ["endpoints"] resourceNames: ["service-catalog-controller-manager"] verbs: ["get","update"] -- apiVersion: rbac.authorization.k8s.io/v1 +- apiVersion: {{ $apiVersion }} kind: RoleBinding metadata: name: service-catalog-controller-manager From 59773cbbf79ae7591a635f091d3ea24ed9ad85de Mon Sep 17 00:00:00 2001 From: Scott Nichols Date: Tue, 10 Oct 2017 10:53:46 -0700 Subject: [PATCH 4/6] Wondering if ordering matters. --- charts/catalog/templates/rbac.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/charts/catalog/templates/rbac.yaml b/charts/catalog/templates/rbac.yaml index 0be8fdfd80f..b33fa809163 100644 --- a/charts/catalog/templates/rbac.yaml +++ b/charts/catalog/templates/rbac.yaml @@ -1,8 +1,8 @@ {{- $apiVersion := "" -}} -{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} -{{- $apiVersion := "rbac.authorization.k8s.io/v1" -}} -{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}} {{- $apiVersion := "rbac.authorization.k8s.io/v1beta1" -}} +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +{{- $apiVersion := "rbac.authorization.k8s.io/v1" -}} {{- end -}} {{- if $apiVersion }} From edf9d0556bf97aa511e5bb92e3724715e2306a5a Mon Sep 17 00:00:00 2001 From: Scott Nichols Date: Fri, 13 Oct 2017 14:27:12 -0700 Subject: [PATCH 5/6] Fixing assignment for apiVerison. --- charts/catalog/templates/rbac.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/catalog/templates/rbac.yaml b/charts/catalog/templates/rbac.yaml index b33fa809163..58569130f4c 100644 --- a/charts/catalog/templates/rbac.yaml +++ b/charts/catalog/templates/rbac.yaml @@ -1,8 +1,8 @@ {{- $apiVersion := "" -}} {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}} -{{- $apiVersion := "rbac.authorization.k8s.io/v1beta1" -}} +{{- $apiVersion = "rbac.authorization.k8s.io/v1beta1" -}} {{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} -{{- $apiVersion := "rbac.authorization.k8s.io/v1" -}} +{{- $apiVersion = "rbac.authorization.k8s.io/v1" -}} {{- end -}} {{- if $apiVersion }} From c30adf7c69bf0b0fa6bf203840e0a6008bd9899f Mon Sep 17 00:00:00 2001 From: Scott Nichols Date: Fri, 13 Oct 2017 15:50:50 -0700 Subject: [PATCH 6/6] Working version of v1 vs v1beta1 rbac selection. --- charts/catalog/templates/_helpers.tpl | 12 ++++++++++++ charts/catalog/templates/rbac.yaml | 27 ++++++++++----------------- charts/catalog/values.yaml | 3 +++ 3 files changed, 25 insertions(+), 17 deletions(-) diff --git a/charts/catalog/templates/_helpers.tpl b/charts/catalog/templates/_helpers.tpl index 458fc1b0ce4..ee6c8614101 100644 --- a/charts/catalog/templates/_helpers.tpl +++ b/charts/catalog/templates/_helpers.tpl @@ -7,3 +7,15 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- define "fullname" -}} {{- printf "%s-%s" .Release.Name .Chart.Name | trunc 63 | trimSuffix "-" -}} {{- end -}} + +{{/* +Conditionally print out rbac api verison. +This will select v1 before v1beta1 if both are available. +*/}} +{{- define "rbacApiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} +rbac.authorization.k8s.io/v1 +{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}} +rbac.authorization.k8s.io/v1beta1 +{{- end -}} +{{- end -}} diff --git a/charts/catalog/templates/rbac.yaml b/charts/catalog/templates/rbac.yaml index 58569130f4c..e642a508171 100644 --- a/charts/catalog/templates/rbac.yaml +++ b/charts/catalog/templates/rbac.yaml @@ -1,11 +1,4 @@ -{{- $apiVersion := "" -}} -{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}} -{{- $apiVersion = "rbac.authorization.k8s.io/v1beta1" -}} -{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}} -{{- $apiVersion = "rbac.authorization.k8s.io/v1" -}} -{{- end -}} - -{{- if $apiVersion }} +{{- if .Values.rbacEnable }} apiVersion: v1 kind: List items: @@ -14,7 +7,7 @@ items: # TODO: if this is just for namespace lifecycle admission, move to a generic role # the role for the apiserver -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: ClusterRole metadata: name: "servicecatalog.k8s.io:apiserver" @@ -25,7 +18,7 @@ items: resources: ["namespaces"] verbs: ["get", "list", "watch"] # API-server service-account gets its own role -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: ClusterRoleBinding metadata: name: "servicecatalog.k8s.io:apiserver" @@ -40,7 +33,7 @@ items: namespace: "{{ .Release.Namespace }}" # apiserver gets the auth-delegator role to delegate auth decisions to # the core apiserver -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: ClusterRoleBinding metadata: name: "servicecatalog.k8s.io:apiserver-auth-delegator" @@ -56,7 +49,7 @@ items: # apiserver gets the ability to read authentication. This allows it to # read the specific configmap that has the requestheader-* entries to # enable api aggregation -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: RoleBinding metadata: name: "servicecatalog.k8s.io:apiserver-authentication-reader" @@ -76,7 +69,7 @@ items: # controller-manager role defines what access the service-catalog # controller-manager needs to manage the resources of the # service-catalog -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: ClusterRole metadata: name: "servicecatalog.k8s.io:controller-manager" @@ -105,7 +98,7 @@ items: resources: ["clusterservicebrokers/status","serviceinstances/status","serviceinstances/reference","servicebindings/status"] verbs: ["update"] # give the controller-manager service account access to whats defined in its role. -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: ClusterRoleBinding metadata: name: "servicecatalog.k8s.io:controller-manager" @@ -121,7 +114,7 @@ items: # This gives create/update access to an endpoint in kube-system for leader election # TODO: use an object other than endpoints, and in the same namespace as the service catalog, not in kube-system -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: Role metadata: name: "servicecatalog.k8s.io:leader-locking-controller-manager" @@ -134,7 +127,7 @@ items: resources: ["endpoints"] resourceNames: ["service-catalog-controller-manager"] verbs: ["get","update"] -- apiVersion: {{ $apiVersion }} +- apiVersion: {{template "rbacApiVersion" . }} kind: RoleBinding metadata: name: service-catalog-controller-manager @@ -148,4 +141,4 @@ items: kind: ServiceAccount name: "{{ .Values.controllerManager.serviceAccount }}" namespace: "{{ .Release.Namespace }}" -{{ end }} +{{end}} diff --git a/charts/catalog/values.yaml b/charts/catalog/values.yaml index 85554f2a877..1cdb193a3ac 100644 --- a/charts/catalog/values.yaml +++ b/charts/catalog/values.yaml @@ -1,6 +1,9 @@ # Default values for Service Catalog # determines whether the API server should be registered with the kube-aggregator useAggregator: false +## If true, create & use RBAC resources +## +rbacEnable: true apiserver: # apiserver image to use image: quay.io/kubernetes-service-catalog/apiserver:v0.1.0-rc1