• Geoff Simmons's avatar
    Refactor RBAC for the controller and viking service. · 21cb2142
    Geoff Simmons authored
    If the controller is watching resources in all namespaces (CLI option namespace
    is not set, helm value vikingController.namespace is undefined or empty), then
    define a ClusterRole as we do now.
    
    In the helm chart we use the prefix "viking.uplex.de:" in the ClusterRole's
    name, since ClusterRoles are not namespaced.
    
    If the controller is watching one namespace (CLI option namespace, helm value
    vikingController.namespace are set to the namespace), define a Role in the
    namespace, and a RoleBinding to connect it to the ServiceAccount. Then the
    restriction to the namespace is enforced by RBAC.
    
    For the viking service (Varnish/haproxy-as-Ingress implementation): in place
    of the ClusterRole and ClusterRoleBinding we have now, define a Role and
    RoleBinding in the namespace in which the Pods run. This enforces the
    restriction to the namespace. RBAC is needed to read TLS Secrets, which must
    be in the same namespace.
    
    This means that the k8s-crt-dnldr running in the haproxy container must be
    invoked with the namespace CLI arg. For that, we use the downward API to
    pass POD_NAMESPACE into the container.
    
    The namespace example is adjusted for these changes, and a Makefile drives
    the tests, using both helm and kubectl.
    
    The archtiectures and varnish_pod_template tests have also been adjusted,
    although for now these are run only with kubectl.
    21cb2142
rolebinding.yaml 604 Bytes