feat: add clusterAdmin and rbac.extra

flanksource · Jan 7, 2025 · c04a697 · c04a697
1 parent 20138b4
commit c04a697
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml
@@ -112,6 +112,24 @@ rules:
     - get
     - watch
 {{- end}}
+{{- if .Values.serviceAccount.rbac.extra }}
+{{ .Values.serviceAccount.rbac.extra | toYaml | nindent 2 }}
+{{- end}}
+{{- if .Values.serviceAccount.rbac.clusterAdmin }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind:  ClusterRoleBinding
+metadata:
+  name: {{ include "incident-commander.name" . }}-crb-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: {{.Values.serviceAccount.name}}
+    namespace: {{ .Release.Namespace }}
+{{- end}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}RoleBinding

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -45,16 +45,25 @@ serviceAccount:
     impersonate: false
     # Whether to create cluster-wide or namespaced roles
     clusterRole: true
+    clusterAdmin: false
     # for secret management with valueFrom
     tokenRequest: true
     secrets: true
     configmaps: true
     # for use with kubernetes resource lookups
     readAll: true
-    # Playbook pod actions
+    # Required for pod playbook actions
     podRun: true
-    # exec
+    # Allows mission control to exec into pods
     exec: true
+    # @schema
+    # required: false
+    # default: []
+    # type: array
+    # items:
+    #   type: object
+    # @schema
+    extra: []
 extraArgs: {}
 externalPostgrest:
   enable: true