################################################################################ # Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ################################################################################ {{/* RBAC rules used to create the operator (cluster)role based on the scope */}} {{- define "flink-operator.rbacRules" }} rules: - apiGroups: - "" resources: - pods - services - events - configmaps - secrets verbs: - "*" {{- if .Values.rbac.nodesRule.create }} - apiGroups: - "" resources: - nodes verbs: - list {{- end }} - apiGroups: - apps resources: - deployments - deployments/scale - deployments/finalizers - replicasets verbs: - "*" - apiGroups: - extensions resources: - deployments - ingresses verbs: - "*" - apiGroups: - flink.apache.org resources: - flinkdeployments - flinkdeployments/status - flinkdeployments/finalizers - flinksessionjobs - flinksessionjobs/status - flinksessionjobs/finalizers verbs: - "*" - apiGroups: - networking.k8s.io resources: - ingresses verbs: - "*" - apiGroups: - coordination.k8s.io resources: - leases verbs: - "*" {{- end }} {{/* RBAC rules used to create the job (cluster)role based on the scope */}} {{- define "flink-operator.jobRbacRules" }} rules: - apiGroups: - "" resources: - pods - configmaps verbs: - '*' - apiGroups: - apps resources: - deployments - deployments/finalizers verbs: - '*' {{- end }} --- {{- if .Values.rbac.create }} --- {{/* Namespaced scoped RBAC. */}} {{- if .Values.watchNamespaces }} {{- range .Values.watchNamespaces }} {{- if $.Values.rbac.operatorRole.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "flink-operator.roleName" $ }} namespace: {{ . }} labels: {{- include "flink-operator.labels" $ | nindent 4 }} {{- template "flink-operator.rbacRules" $ }} {{- end }} --- {{- if $.Values.rbac.jobRole.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "flink-operator.jobRoleName" $ }} namespace: {{ . }} labels: {{- include "flink-operator.labels" $ | nindent 4 }} annotations: "helm.sh/resource-policy": keep {{- template "flink-operator.jobRbacRules" $ }} {{- end }} --- {{- if $.Values.rbac.operatorRoleBinding.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "flink-operator.roleBindingName" $ }} namespace: {{ . }} labels: {{- include "flink-operator.labels" $ | nindent 4 }} roleRef: kind: {{ $role := include "flink-operator.roleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} name: {{ include "flink-operator.roleName" $ }} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: {{ include "flink-operator.serviceAccountName" $ }} namespace: {{ $.Release.Namespace }} {{- end }} --- {{- if $.Values.rbac.jobRoleBinding.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "flink-operator.jobRoleBindingName" $ }} namespace: {{ . }} labels: {{- include "flink-operator.labels" $ | nindent 4 }} annotations: "helm.sh/resource-policy": keep roleRef: kind: {{ $role := include "flink-operator.jobRoleName" $ }}{{ include "flink-operator.roleScope" (dict "role" $role)}} name: {{ include "flink-operator.jobRoleName" $ }} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: {{ include "flink-operator.jobServiceAccountName" $ }} namespace: {{ . }} {{- end }} --- {{- end }} {{/* Give operator the ability to operate on leases in the release namespace */}} {{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "flink-operator.roleName" $ }} namespace: {{ .Release.Namespace }} labels: {{- include "flink-operator.labels" . | nindent 4 }} rules: - apiGroups: - coordination.k8s.io resources: - leases verbs: - "*" {{- end }} --- {{- if and .Values.rbac.operatorRole.create (not (has .Release.Namespace .Values.watchNamespaces)) }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "flink-operator.roleBindingName" $ }} namespace: {{ .Release.Namespace }} labels: {{- include "flink-operator.labels" $ | nindent 4 }} roleRef: kind: Role name: {{ include "flink-operator.roleName" $ }} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: {{ include "flink-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} {{ else }} {{/* Cluster scoped RBAC. */}} --- {{- if .Values.rbac.operatorRole.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{ include "flink-operator.roleName" $ }} namespace: {{ .Release.Namespace }} labels: {{- include "flink-operator.labels" . | nindent 4 }} {{- template "flink-operator.rbacRules" $ }} {{- end }} --- {{- if .Values.rbac.jobRole.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "flink-operator.jobRoleName" $ }} namespace: {{ .Release.Namespace }} labels: {{- include "flink-operator.labels" . | nindent 4 }} annotations: "helm.sh/resource-policy": keep {{- template "flink-operator.jobRbacRules" $ }} {{- end }} --- {{- if .Values.rbac.operatorRoleBinding.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ include "flink-operator.roleBindingName" $ }} namespace: {{ .Release.Namespace }} labels: {{- include "flink-operator.labels" . | nindent 4 }} roleRef: kind: ClusterRole name: {{ include "flink-operator.roleName" $ }} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: {{ include "flink-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} --- {{- if .Values.rbac.jobRoleBinding.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "flink-operator.jobRoleBindingName" $ }} namespace: {{ .Release.Namespace }} labels: {{- include "flink-operator.labels" . | nindent 4 }} annotations: "helm.sh/resource-policy": keep roleRef: kind: Role name: {{ include "flink-operator.jobRoleName" $ }} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: {{ include "flink-operator.jobServiceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end }} {{- end }} {{- end }}