Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding RBAC for Betydb Helm components #4

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Adding RBAC for Betydb Helm components #4

wants to merge 7 commits into from

Conversation

Sagar2366
Copy link

@Sagar2366 Sagar2366 commented Jul 26, 2022
edited
Loading

RBAC for BETYDB HELM

@Sagar2366 Sagar2366 changed the title Adding Sagar Utekar to contributor list Adding RBAC for Betydb Helm components Jul 26, 2022
robkooper
robkooper requested changes Jul 26, 2022
View reviewed changes
templates/role.yaml
{{- include "betydb.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources: ["pods", "endpoints", "Services", "configmaps"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be

Suggested change
resources: ["pods", "endpoints", "Services", "configmaps"]
resources: ["pods", "endpoints", "services", "configmaps"]

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removed extra permissions from bety hook role

templates/hooks/serviceAccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "betydb.fullname" . }}-hooks
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need a separate account for the hooks? Not sure we need all the permissions listed below for the hooks.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using separate service account as permissions required for bety and bety hooks are different.
Will remove endpoint, service access from bety hook role.

templates/role.yaml
rules:
- apiGroups: [""]
resources: ["pods", "endpoints", "Services", "configmaps"]
verbs:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need any permissions? I don't think right now BETY needs permissions to any of these endpoints services.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Endpoint access added for BETY role as we're accessing them in ingress config and readiness probe.

templates/serviceAccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "betydb.fullname" . }}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this service account be used in the deployment file (and maybe others).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robkooper robkooper robkooper requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sagar2366 @robkooper