Merge pull request sorenmat#45 from jobteaser/add-rbac-deployment

Add deployment with RBAC procedures
cloud104 · Feb 5, 2019 · dab8d5f · dab8d5f
2 parents 208a36e + d3e0b61
commit dab8d5f
Show file tree

Hide file tree

Showing 6 changed files with 116 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -21,6 +21,17 @@ The codes will search for the first node, and take the subnets from that node. A
 
 You can start the the controller by applying `kubectl apply -f deploy/deployment.yaml`
 
+### RBAC deployment
+
+To create ClusterRole and bindings, apply the following instead:
+
+```shell
+kubectl apply -f deploy/operator-cluster-role.yaml
+kubectl apply -f deploy/operator-service-account.yaml
+kubectl apply -f deploy/operator-cluster-role-binding.yaml
+kubectl apply -f deploy/deployment-rbac.yaml
+```
+
 ## Deploying
 
 When the controller is running in the cluster you can deploy/create a new database by running `kubectl apply` on the following

diff --git a/deploy/deployment-rbac.yaml b/deploy/deployment-rbac.yaml
@@ -0,0 +1,37 @@
+apiVersion: extensions/v1beta1
+kind: Deployment
+metadata:
+  name: k8s-rds
+  namespace: default
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: k8s-rds
+  template:
+    metadata:
+      labels:
+        name: k8s-rds
+    spec:
+      containers:
+      - image: sorenmat/k8s-rds:latest
+        env:
+        - name: AWS_REGION
+          value: us-east-1
+        - name: AWS_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              key: AWS_ACCESS_KEY_ID
+              name: k8s-rds
+        - name: AWS_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              key: AWS_SECRET_ACCESS_KEY
+              name: k8s-rds
+        imagePullPolicy: Always
+        name: k8s-rds
+      restartPolicy: Always
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+      serviceAccountName: k8s-rds-operator
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
@@ -2,7 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: k8s-rds
-  namespace: default  
+  namespace: default
 spec:
   replicas: 1
   selector:
@@ -18,4 +18,6 @@ spec:
         imagePullPolicy: Always
         name: k8s-rds
       restartPolicy: Always
-
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
diff --git a/deploy/operator-cluster-role-binding.yaml b/deploy/operator-cluster-role-binding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8s-rds-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: k8s-rds-operator
+subjects:
+- kind: ServiceAccount
+  name: k8s-rds-operator
+  namespace: default
diff --git a/deploy/operator-cluster-role.yaml b/deploy/operator-cluster-role.yaml
@@ -0,0 +1,47 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: k8s-rds-operator
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - '*'
+- apiGroups:
+  - k8s.io
+  resources:
+  - databases
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/deploy/operator-service-account.yaml b/deploy/operator-service-account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-rds-operator
+  namespace: default