From 8f5e9548158c8d3772e3b283e5d556efa157e1c2 Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Fri, 15 Mar 2024 12:19:22 +0100 Subject: [PATCH] Create appropriate role/rolebinding for tenant When running in OpenShift, tenant cointainer is dumping errors when being started. This fix sets appropriate role and rolebinding to use anyuid service account only for OpenShift deployment Resolves: #73 Signed-off-by: Sergio Arroutbi --- .../charts/keylime-tenant/templates/_helpers.tpl | 14 ++++++++++++++ .../charts/keylime-tenant/templates/role.yaml | 15 +++++++++++++++ .../keylime-tenant/templates/rolebinding.yaml | 14 ++++++++++++++ .../keylime/charts/keylime-tenant/values.yaml | 5 +++++ 4 files changed, 48 insertions(+) create mode 100644 build/helm/keylime/charts/keylime-tenant/templates/role.yaml create mode 100644 build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml diff --git a/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl index 89f7511..e78816b 100644 --- a/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl @@ -126,3 +126,17 @@ Define a custom image pullpolicy. {{- toYaml .Values.image.pullPolicy }} {{- end }} {{- end }} + +{{/* +Create the name of the role to use +*/}} +{{- define "tenant.roleName" -}} +{{- default (include "tenant.fullname" .) .Values.role.name }} +{{- end }} + +{{/* +Create the name of the role binding to use +*/}} +{{- define "tenant.roleBindingName" -}} +{{- default (include "tenant.fullname" .) .Values.roleBinding.name }} +{{- end }} \ No newline at end of file diff --git a/build/helm/keylime/charts/keylime-tenant/templates/role.yaml b/build/helm/keylime/charts/keylime-tenant/templates/role.yaml new file mode 100644 index 0000000..618ddaa --- /dev/null +++ b/build/helm/keylime/charts/keylime-tenant/templates/role.yaml @@ -0,0 +1,15 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tenant.roleName" . }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + verbs: + - use +{{ end }} diff --git a/build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml b/build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml new file mode 100644 index 0000000..1396c26 --- /dev/null +++ b/build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tenant.roleBindingName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tenant.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tenant.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/build/helm/keylime/charts/keylime-tenant/values.yaml b/build/helm/keylime/charts/keylime-tenant/values.yaml index 36180df..6253c94 100644 --- a/build/helm/keylime/charts/keylime-tenant/values.yaml +++ b/build/helm/keylime/charts/keylime-tenant/values.yaml @@ -50,3 +50,8 @@ nodeSelector: {} tolerations: [] affinity: {} + +role: + name: "" +roleBinding: + name: ""