From 7306f8b543273b9ce660444e2387e5d782a73ecb Mon Sep 17 00:00:00 2001 From: Sergio Arroutbi Date: Wed, 20 Mar 2024 15:29:09 +0100 Subject: [PATCH] Create appropriate role/rolebinding for tenant in OpenShift (#74) When running in OpenShift, tenant cointainer is dumping errors when being started. This fix sets appropriate role and rolebinding to use anyuid service account only for OpenShift deployment Resolves: #73 Signed-off-by: Sergio Arroutbi --- .../charts/keylime-tenant/templates/_helpers.tpl | 14 ++++++++++++++ .../charts/keylime-tenant/templates/role.yaml | 15 +++++++++++++++ .../keylime-tenant/templates/rolebinding.yaml | 14 ++++++++++++++ .../keylime/charts/keylime-tenant/values.yaml | 5 +++++ 4 files changed, 48 insertions(+) create mode 100644 build/helm/keylime/charts/keylime-tenant/templates/role.yaml create mode 100644 build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml diff --git a/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl index 89f7511..e78816b 100644 --- a/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-tenant/templates/_helpers.tpl @@ -126,3 +126,17 @@ Define a custom image pullpolicy. {{- toYaml .Values.image.pullPolicy }} {{- end }} {{- end }} + +{{/* +Create the name of the role to use +*/}} +{{- define "tenant.roleName" -}} +{{- default (include "tenant.fullname" .) .Values.role.name }} +{{- end }} + +{{/* +Create the name of the role binding to use +*/}} +{{- define "tenant.roleBindingName" -}} +{{- default (include "tenant.fullname" .) .Values.roleBinding.name }} +{{- end }} \ No newline at end of file diff --git a/build/helm/keylime/charts/keylime-tenant/templates/role.yaml b/build/helm/keylime/charts/keylime-tenant/templates/role.yaml new file mode 100644 index 0000000..618ddaa --- /dev/null +++ b/build/helm/keylime/charts/keylime-tenant/templates/role.yaml @@ -0,0 +1,15 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tenant.roleName" . }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: + - anyuid + verbs: + - use +{{ end }} diff --git a/build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml b/build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml new file mode 100644 index 0000000..1396c26 --- /dev/null +++ b/build/helm/keylime/charts/keylime-tenant/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tenant.roleBindingName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "tenant.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ include "tenant.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/build/helm/keylime/charts/keylime-tenant/values.yaml b/build/helm/keylime/charts/keylime-tenant/values.yaml index 36180df..6253c94 100644 --- a/build/helm/keylime/charts/keylime-tenant/values.yaml +++ b/build/helm/keylime/charts/keylime-tenant/values.yaml @@ -50,3 +50,8 @@ nodeSelector: {} tolerations: [] affinity: {} + +role: + name: "" +roleBinding: + name: ""