From 7166af630d64bed62453683d4e2358ecc94a424b Mon Sep 17 00:00:00 2001 From: Olamide Date: Thu, 24 Oct 2024 15:29:35 +0100 Subject: [PATCH 1/3] Grant cluster wide crd access to deploy roles --- aws/deploy-role-bindings/main.tf | 35 ++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/aws/deploy-role-bindings/main.tf b/aws/deploy-role-bindings/main.tf index 8855c71d..51b99a0e 100644 --- a/aws/deploy-role-bindings/main.tf +++ b/aws/deploy-role-bindings/main.tf @@ -1,9 +1,8 @@ -resource "kubernetes_role_binding" "cluster" { +resource "kubernetes_cluster_role_binding" "cluster" { for_each = toset(var.cluster_roles) metadata { name = var.name - namespace = var.namespace } role_ref { @@ -19,6 +18,38 @@ resource "kubernetes_role_binding" "cluster" { } } +resource "kubernetes_cluster_role" "cluster_crd" { + metadata { + name = "${var.name}-cluster-crd" + } + + rule { + api_groups = ["apiextensions.k8s.io"] + resources = ["customresourcedefinitions"] + verbs = ["get", "list"] + } +} + +resource "kubernetes_cluster_role_binding" "cluster_crd" { + metadata { + name = "${var.name}-cluster-crd" + } + + role_ref { + api_group = "rbac.authorization.k8s.io" + kind = "ClusterRole" + name = "${var.name}-cluster-crd" + } + + subject { + kind = "Group" + name = var.group + api_group = "rbac.authorization.k8s.io" + } + + depends_on = [ kubernetes_cluster_role.cluster_crd ] +} + resource "kubernetes_role_binding" "crd" { metadata { name = kubernetes_role.deploy_crd.metadata[0].name From 087329fbee15b668953293b063fac23e48220b79 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Thu, 24 Oct 2024 14:30:03 +0000 Subject: [PATCH 2/3] terraform-docs: automated action --- aws/deploy-role-bindings/README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/aws/deploy-role-bindings/README.md b/aws/deploy-role-bindings/README.md index 925fa964..b8892d9d 100644 --- a/aws/deploy-role-bindings/README.md +++ b/aws/deploy-role-bindings/README.md @@ -60,8 +60,10 @@ module "workload_platform" { | Name | Type | |------|------| +| [kubernetes_cluster_role.cluster_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role) | resource | +| [kubernetes_cluster_role_binding.cluster](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | +| [kubernetes_cluster_role_binding.cluster_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/cluster_role_binding) | resource | | [kubernetes_role.deploy_crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role) | resource | -| [kubernetes_role_binding.cluster](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | | [kubernetes_role_binding.crd](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/role_binding) | resource | ## Inputs From fd37749dfcceaf9dae06e5ece507f1cb331377a4 Mon Sep 17 00:00:00 2001 From: Olamide Date: Thu, 24 Oct 2024 15:38:47 +0100 Subject: [PATCH 3/3] update terraform fmt --- aws/deploy-role-bindings/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aws/deploy-role-bindings/main.tf b/aws/deploy-role-bindings/main.tf index 51b99a0e..7fba2f4e 100644 --- a/aws/deploy-role-bindings/main.tf +++ b/aws/deploy-role-bindings/main.tf @@ -2,7 +2,7 @@ resource "kubernetes_cluster_role_binding" "cluster" { for_each = toset(var.cluster_roles) metadata { - name = var.name + name = var.name } role_ref { @@ -32,7 +32,7 @@ resource "kubernetes_cluster_role" "cluster_crd" { resource "kubernetes_cluster_role_binding" "cluster_crd" { metadata { - name = "${var.name}-cluster-crd" + name = "${var.name}-cluster-crd" } role_ref { @@ -47,7 +47,7 @@ resource "kubernetes_cluster_role_binding" "cluster_crd" { api_group = "rbac.authorization.k8s.io" } - depends_on = [ kubernetes_cluster_role.cluster_crd ] + depends_on = [kubernetes_cluster_role.cluster_crd] } resource "kubernetes_role_binding" "crd" {