Inside the file values.yaml of the OPA chart I must activate RBAC using the following section :
# NOTE IF you use these, remember to update the RBAC rules below to allow
# permissions to get, list, watch, patch and update configmaps
enabled: false
namespaces: [opa, kube-federation-scheduling-policy]
requireLabel: true
replicate:
# NOTE IF you use these, remember to update the RBAC rules below to allow
# permissions to replicate these things
cluster: []
# - [group/]version/resource
namespace: []
# - [group/]version/resource
path: kubernetes
As stated above I must add the verbs: get, list, watch, patch and update to the kind configmap.
Unfortunatly I've got no idear how to make them fit the yaml...
I don't understand the following syntaxe :
cluster: []
# - [group/]version/resource
namespace: []
# - [group/]version/resource
path: kubernetes
But I guess that the verbs fit in there somehow...
It's better to put all RBAC rules in a template and use a toggle to render that template, but it is also possible to put the rules in values.yaml and render it.
Example:
In values.yaml, provide a section like this:
rbac:
enabled: true
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "watch", "list"]In a template (e.g template/rbac.yaml), responsible for generating the rendered rbac manifest:
{{- if .Values.rbac.enabled -}}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
rules:
{{ toYaml .Values.rbac.rules | indent 2 }}
---
....
{{- end -}}Verify the output k8s manifests:
$ helm install -f values.yaml . --dry-run --debugI would add following stanza in the values.yaml file
rbac:
# If true, create & use RBAC resources
#
create: true
rules:
cluster:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- patch
- update