-
Notifications
You must be signed in to change notification settings - Fork 691
/
controller.jsonnet
116 lines (106 loc) · 3.12 KB
/
controller.jsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
// This is the recommended cluster deployment of sealed-secrets.
// See controller-norbac.jsonnet for the bare minimum functionality.
local controller = import 'controller-norbac.jsonnet';
controller {
local kube = self.kube,
account: kube.ServiceAccount('sealed-secrets-controller') + $.namespace,
unsealerRole: kube.ClusterRole('secrets-unsealer') {
rules: [
{
apiGroups: ['bitnami.com'],
resources: ['sealedsecrets'],
verbs: ['get', 'list', 'watch'],
},
{
apiGroups: ['bitnami.com'],
resources: ['sealedsecrets/status'],
verbs: ['update'],
},
{
apiGroups: [''],
resources: ['secrets'],
verbs: ['get', 'list', 'create', 'update', 'delete', 'watch'],
},
{
apiGroups: [''],
resources: ['events'],
verbs: ['create', 'patch'],
},
{
apiGroups: [''],
resources: ['namespaces'],
verbs: ['get'],
},
],
},
unsealKeyRole: kube.Role('sealed-secrets-key-admin') + $.namespace {
rules: [
{
apiGroups: [''],
resources: ['secrets'],
// Can't limit create by resource name as keys are produced on the fly
verbs: ['create', 'list'],
},
],
},
serviceProxierRole: kube.Role('sealed-secrets-service-proxier') + $.namespace {
rules: [
{
apiGroups: [
'',
],
resources: [
'services',
],
resourceNames: [
'sealed-secrets-controller',
],
// kubeseal dynamically obtains the service port name so later on
// can access the service using a proxy
verbs: [
'get',
],
},
{
apiGroups: [
'',
],
resources: [
'services/proxy',
],
resourceNames: [
'http:sealed-secrets-controller:', // kubeseal uses net.JoinSchemeNamePort when crafting proxy subresource URLs
'http:sealed-secrets-controller:http',
'sealed-secrets-controller', // but often services are referred by name only, let's not make it unnecessarily cryptic
],
verbs: [
'create', // rotate and validate endpoints expect POST, see https://kubernetes.io/docs/reference/access-authn-authz/authorization/#determine-the-request-verb
'get',
],
},
],
},
unsealerBinding: kube.ClusterRoleBinding('sealed-secrets-controller') {
roleRef_: $.unsealerRole,
subjects_+: [$.account],
},
unsealKeyBinding: kube.RoleBinding('sealed-secrets-controller') + $.namespace {
roleRef_: $.unsealKeyRole,
subjects_+: [$.account],
},
serviceProxierBinding: kube.RoleBinding('sealed-secrets-service-proxier') + $.namespace {
roleRef_: $.serviceProxierRole,
// kube.libsonnet assumes object here have a namespace, but system groups don't
// thus are not supposed to use the magic "_" here.
subjects+: [kube.Group('system:authenticated')],
},
controller+: {
spec+: {
template+: {
spec+: {
serviceAccountName: $.account.metadata.name,
},
},
},
},
}