diff --git a/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl b/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl index 944f53d..bed65aa 100644 --- a/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl +++ b/build/helm/keylime/charts/keylime-agent/templates/_helpers.tpl @@ -69,6 +69,20 @@ Create the name of the service account to use {{- end }} {{- end }} +{{/* +Create the name of the role to use +*/}} +{{- define "agent.roleName" -}} +{{- default (include "agent.fullname" .) .Values.role.name }} +{{- end }} + +{{/* +Create the name of the role binding to use +*/}} +{{- define "agent.roleBindingName" -}} +{{- default (include "agent.fullname" .) .Values.roleBinding.name }} +{{- end }} + {{/* Expand to the name of the config map to be used */}} diff --git a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml index ef3bccf..a9067a6 100644 --- a/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml +++ b/build/helm/keylime/charts/keylime-agent/templates/daemonset.yaml @@ -8,6 +8,9 @@ spec: selector: matchLabels: {{- include "agent.selectorLabels" . | nindent 6 }} + {{- if .Values.serviceAccount.create }} + serviceAccountName: {{ include "agent.serviceAccountName" . }} + {{- end }} template: metadata: {{- with .Values.podAnnotations }} @@ -21,7 +24,9 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} + {{- if .Values.serviceAccount.create }} serviceAccountName: {{ include "agent.serviceAccountName" . }} + {{- end }} initContainers: - name: {{ .Chart.Name }}-init env: @@ -167,6 +172,7 @@ spec: selector: matchLabels: {{- include "agentplugin.selectorLabels" . | nindent 6 }} + serviceAccountName: {{ include "agent.serviceAccountName" . }} template: metadata: {{- with .Values.podAnnotations }} diff --git a/build/helm/keylime/charts/keylime-agent/templates/role.yaml b/build/helm/keylime/charts/keylime-agent/templates/role.yaml new file mode 100644 index 0000000..f379f4b --- /dev/null +++ b/build/helm/keylime/charts/keylime-agent/templates/role.yaml @@ -0,0 +1,19 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "agent.roleName" . }} +rules: +- apiGroups: + - security.openshift.io + resources: + - securitycontextconstraints + resourceNames: +{{ if .Values.global.service.agent.privileged }} + - privileged +{{ else }} + - hostmount-anyuid +{{ end }} + verbs: + - use +{{ end }} diff --git a/build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml b/build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml new file mode 100644 index 0000000..61103ee --- /dev/null +++ b/build/helm/keylime/charts/keylime-agent/templates/rolebinding.yaml @@ -0,0 +1,14 @@ +{{ if .Values.global.openshift }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "agent.roleBindingName" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "agent.roleName" . }} +subjects: + - kind: ServiceAccount + name: {{ include "agent.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{ end }} diff --git a/build/helm/keylime/charts/keylime-agent/values.yaml b/build/helm/keylime/charts/keylime-agent/values.yaml index 78bb9d6..a037f21 100644 --- a/build/helm/keylime/charts/keylime-agent/values.yaml +++ b/build/helm/keylime/charts/keylime-agent/values.yaml @@ -29,6 +29,11 @@ serviceAccount: # If not set and create is true, a name is generated using the fullname template name: "" +role: + name: "" +roleBinding: + name: "" + podAnnotations: {} # command (and args) for regular operation