diff --git a/packages/apps/tenant/templates/tenant.yaml b/packages/apps/tenant/templates/tenant.yaml index 646969e4..748126e9 100644 --- a/packages/apps/tenant/templates/tenant.yaml +++ b/packages/apps/tenant/templates/tenant.yaml @@ -43,9 +43,6 @@ subjects: - kind: ServiceAccount name: tenant-root namespace: tenant-root -- kind: Group - name: tenant-root-super-admin - apiGroup: rbac.authorization.k8s.io {{- end }} {{- if hasPrefix "tenant-" .Release.Namespace }} {{- $parts := splitList "-" .Release.Namespace }} @@ -54,18 +51,12 @@ subjects: - kind: ServiceAccount name: {{ join "-" (slice $parts 0 (add $i 1)) }} namespace: {{ join "-" (slice $parts 0 (add $i 1)) }} -- kind: Group - name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin - apiGroup: rbac.authorization.k8s.io {{- end }} {{- end }} {{- end }} - kind: ServiceAccount name: {{ include "tenant.name" . }} namespace: {{ include "tenant.name" . }} -- kind: Group - name: {{ include "tenant.name" . }}-super-admin - apiGroup: rbac.authorization.k8s.io roleRef: kind: Role name: {{ include "tenant.name" . }} @@ -84,23 +75,6 @@ rules: resources: ["helmcharts"] verbs: ["*"] --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "tenant.name" . }} - namespace: cozy-public -subjects: -- kind: ServiceAccount - name: {{ include "tenant.name" . }} - namespace: {{ include "tenant.name" . }} -- kind: Group - name: {{ include "tenant.name" . }}-super-admin - apiGroup: rbac.authorization.k8s.io -roleRef: - kind: Role - name: {{ include "tenant.name" . }} - apiGroup: rbac.authorization.k8s.io ---- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -361,3 +335,101 @@ roleRef: kind: Role name: {{ include "tenant.name" . }}-admin apiGroup: rbac.authorization.k8s.io +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: {{ include "tenant.name" . }} +rules: + - apiGroups: [rbac.authorization.k8s.io] + resources: + - roles + verbs: + - get + - apiGroups: [""] + resources: + - "*" + verbs: + - get + - list + - watch + - delete + - apiGroups: ["helm.toolkit.fluxcd.io"] + resources: + - helmreleases + verbs: + - '*' + - apiGroups: ["kubevirt.io"] + resources: + - virtualmachines + verbs: + - '*' + - apiGroups: ["subresources.kubevirt.io"] + resources: + - virtualmachineinstances/console + - virtualmachineinstances/vnc + verbs: + - get + - list + - apiGroups: ["apps.cozystack.io"] + resources: + - '*' + verbs: + - '*' + + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: cozy-public +rules: + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: ["helmrepositories"] + verbs: + - get + - list + - apiGroups: ["source.toolkit.fluxcd.io"] + resources: + - helmcharts + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: cozy-public +subjects: +- kind: Group + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "tenant.name" . }}-super-admin + namespace: {{ include "tenant.name" . }} +subjects: +{{- if hasPrefix "tenant-" .Release.Namespace }} +{{- $parts := splitList "-" .Release.Namespace }} +{{- range $i, $v := $parts }} +{{- if ne $i 0 }} +- kind: Group + name: {{ join "-" (slice $parts 0 (add $i 1)) }}-super-admin + apiGroup: rbac.authorization.k8s.io +{{- end }} +{{- end }} +{{- end }} +- kind: Group + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: {{ include "tenant.name" . }}-super-admin + apiGroup: rbac.authorization.k8s.io