Adding rbac definition for v1 api endpoint.

charts/catalog/templates/rbac.yaml

@@ -1,13 +1,20 @@
-{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" }}
+{{- $apiVersion := "" -}}
+{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" -}}
+{{- $apiVersion := "rbac.authorization.k8s.io/v1" -}}
+{{- else if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1beta1" -}}
+{{- $apiVersion := "rbac.authorization.k8s.io/v1beta1" -}}
+{{- end -}}
+
+{{- if $apiVersion }}
 apiVersion: v1
 kind: List
 items:
 
 ### API Server ###
-  
+
 # TODO: if this is just for namespace lifecycle admission, move to a generic role
 # the role for the apiserver 
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: ClusterRole
   metadata:
     name: "servicecatalog.k8s.io:apiserver"
@@ -18,7 +25,7 @@ items:
     resources: ["namespaces"]
     verbs:     ["get", "list", "watch"]
 # API-server service-account gets its own role
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: ClusterRoleBinding
   metadata:
     name: "servicecatalog.k8s.io:apiserver"
@@ -33,7 +40,7 @@ items:
     namespace: "{{ .Release.Namespace }}"
 # apiserver gets the auth-delegator role to delegate auth decisions to
 # the core apiserver
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: ClusterRoleBinding
   metadata:
     name: "servicecatalog.k8s.io:apiserver-auth-delegator"
@@ -49,7 +56,7 @@ items:
 # apiserver gets the ability to read authentication. This allows it to
 # read the specific configmap that has the requestheader-* entries to
 # enable api aggregation
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: RoleBinding
   metadata:
     name: "servicecatalog.k8s.io:apiserver-authentication-reader"
@@ -69,7 +76,7 @@ items:
 # controller-manager role defines what access the service-catalog
 # controller-manager needs to manage the resources of the
 # service-catalog
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: ClusterRole
   metadata:
     name: "servicecatalog.k8s.io:controller-manager"
@@ -98,7 +105,7 @@ items:
     resources: ["servicebrokers/status","serviceinstances/status","serviceinstancecredentials/status"]
     verbs:     ["update"]
 # give the controller-manager service account access to whats defined in its role.
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: ClusterRoleBinding
   metadata:
     name: "servicecatalog.k8s.io:controller-manager"
@@ -114,7 +121,7 @@ items:
 
 # This gives create/update access to an endpoint in kube-system for leader election
 # TODO: use an object other than endpoints, and in the same namespace as the service catalog, not in kube-system
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: Role
   metadata:
     name: "servicecatalog.k8s.io:leader-locking-controller-manager"
@@ -127,7 +134,7 @@ items:
     resources:     ["endpoints"]
     resourceNames: ["service-catalog-controller-manager"]
     verbs:         ["get","update"]
-- apiVersion: rbac.authorization.k8s.io/v1beta1
+- apiVersion: {{ $apiVersion }}
   kind: RoleBinding
   metadata:
     name: service-catalog-controller-manager