forked from vmware-archive/kubeless
-
Notifications
You must be signed in to change notification settings - Fork 0
/
kubeless.jsonnet
89 lines (82 loc) · 2.64 KB
/
kubeless.jsonnet
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# Add RBAC role and binding on top of kubeless.jsonnet, to allow
# kubeless controller to deploy/update/etc functions on any namespace
local k = import "ksonnet.beta.1/k.libsonnet";
local objectMeta = k.core.v1.objectMeta;
local kubeless = import "kubeless-non-rbac.jsonnet";
local controller_account = kubeless.controller_account;
local controller_roles = [
{
apiGroups: [""],
resources: ["services", "configmaps"],
verbs: ["create", "get", "delete", "list", "update", "patch"],
},
{
apiGroups: ["apps", "extensions"],
resources: ["deployments"],
verbs: ["create", "get", "delete", "list", "update", "patch"],
},
{
apiGroups: [""],
resources: ["pods"],
verbs: ["list", "delete"],
},
{
apiGroups: [""],
resources: ["secrets"],
resourceNames: ["kubeless-registry-credentials"],
verbs: ["get"],
},
{
apiGroups: ["kubeless.io"],
resources: ["functions", "httptriggers", "cronjobtriggers"],
verbs: ["get", "list", "watch", "update", "delete"],
},
{
apiGroups: ["batch"],
resources: ["cronjobs", "jobs"],
verbs: ["create", "get", "delete", "deletecollection", "list", "update", "patch"],
},
{
apiGroups: ["autoscaling"],
resources: ["horizontalpodautoscalers"],
verbs: ["create", "get", "delete", "list", "update", "patch"],
},
{
apiGroups: ["apiextensions.k8s.io"],
resources: ["customresourcedefinitions"],
verbs: ["get", "list"],
},
{
apiGroups: ["monitoring.coreos.com"],
resources: ["alertmanagers", "prometheuses", "servicemonitors"],
verbs: ["*"],
},
{
apiGroups: ["extensions"],
resources: ["ingresses"],
verbs: ["create", "get", "list", "update", "delete"],
},
];
local controllerAccount = kubeless.controllerAccount;
local clusterRole(name, rules) = {
apiVersion: "rbac.authorization.k8s.io/v1beta1",
kind: "ClusterRole",
metadata: objectMeta.name(name),
rules: rules,
};
local clusterRoleBinding(name, role, subjects) = {
apiVersion: "rbac.authorization.k8s.io/v1beta1",
kind: "ClusterRoleBinding",
metadata: objectMeta.name(name),
subjects: [{kind: s.kind, namespace: s.metadata.namespace, name: s.metadata.name} for s in subjects],
roleRef: {kind: role.kind, apiGroup: "rbac.authorization.k8s.io", name: role.metadata.name},
};
local controllerClusterRole = clusterRole(
"kubeless-controller-deployer", controller_roles);
local controllerClusterRoleBinding = clusterRoleBinding(
"kubeless-controller-deployer", controllerClusterRole, [controllerAccount]
);
kubeless + {
controllerClusterRole: controllerClusterRole,
controllerClusterRoleBinding: controllerClusterRoleBinding,
}