diff --git a/modules/eks/idp-roles/charts/idp-roles/Chart.yaml b/modules/eks/idp-roles/charts/idp-roles/Chart.yaml index 35b5bbfae..19b759c5d 100644 --- a/modules/eks/idp-roles/charts/idp-roles/Chart.yaml +++ b/modules/eks/idp-roles/charts/idp-roles/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.0 +version: 0.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "0.1.0" +appVersion: "0.2.0" diff --git a/modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader-extra.yaml b/modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader-extra.yaml new file mode 100644 index 000000000..2e7d454db --- /dev/null +++ b/modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader-extra.yaml @@ -0,0 +1,42 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: "{{ .Values.reader_cluster_role }}-extra" + labels: + rbac.authorization.k8s.io/aggregate-to-reader: "true" +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - list + - get + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - get + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - list + - get + - apiGroups: + - karpenter.k8s.aws + resources: + - ec2nodeclasses + verbs: + - list + - get + - apiGroups: + - karpenter.sh + resources: + - nodepools + verbs: + - list + - get diff --git a/modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader.yaml b/modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader.yaml new file mode 100644 index 000000000..2e536dfb2 --- /dev/null +++ b/modules/eks/idp-roles/charts/idp-roles/templates/clusterrole-reader.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Values.reader_cluster_role | quote }} +aggregationRule: + clusterRoleSelectors: + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-view: "true" + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-observer: "true" + - matchLabels: + rbac.authorization.k8s.io/aggregate-to-reader: "true" diff --git a/modules/eks/idp-roles/charts/idp-roles/templates/clusterrolebinding-reader.yaml b/modules/eks/idp-roles/charts/idp-roles/templates/clusterrolebinding-reader.yaml new file mode 100644 index 000000000..2723b9d7e --- /dev/null +++ b/modules/eks/idp-roles/charts/idp-roles/templates/clusterrolebinding-reader.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Values.reader_crb_name | quote }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.reader_cluster_role | quote }} +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ .Values.reader_client_role | quote }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ .Values.reader_client_role | quote }} diff --git a/modules/eks/idp-roles/charts/idp-roles/values.yaml b/modules/eks/idp-roles/charts/idp-roles/values.yaml index 6d4ef2192..af8066ecc 100644 --- a/modules/eks/idp-roles/charts/idp-roles/values.yaml +++ b/modules/eks/idp-roles/charts/idp-roles/values.yaml @@ -27,3 +27,8 @@ poweruser_client_role: "idp:poweruser" observer_crb_name: "idp-observer" observer_cluster_role: "idp-observer" observer_client_role: "idp:observer" + +# Reader +reader_crb_name: "idp-reader" +reader_cluster_role: "idp-reader" +reader_client_role: "idp:reader"