fix

2023-10-15 10:52:10 +02:00
parent e9ea7ee094
commit 5043ee0cda
2 changed files with 67 additions and 31 deletions
--- a/apps/okd/rbac.tf
+++ b/apps/okd/rbac.tf
@@ -12,7 +12,7 @@ resource "kubectl_manifest" "okd_sa" {
  EOF
 }

-resource "kubectl_manifest" "okd_crb" {
+resource "kubectl_manifest" "okd_crb_admin" {
  count = var.cluster-admin ? 1 : 0
  yaml_body  = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
@@ -66,3 +66,39 @@ resource "kubectl_manifest" "okd_role_bindings" {
      apiGroup: rbac.authorization.k8s.io
  EOF
 }
+
+resource "kubectl_manifest" "okd_clusterrole" {
+  count = length(local.sorted-namespaces)>0 ? 1 : 0
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRole
+    metadata:
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      labels: ${jsonencode(local.common-labels)}
+    rules:
+    - apiGroups: [""]
+      resources: ["namespaces"]
+      resourceNames: ${jsonencode(local.sorted-namespaces)}
+      verbs: ["get", "list"]
+  EOF
+}
+
+resource "kubectl_manifest" "okd_clusterrole_bindings" {
+  count = length(local.sorted-namespaces)>0 ? 1 : 0
+  yaml_body  = <<-EOF
+    apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      namespace: "${local.sorted-namespaces[count.index]}"
+      labels: ${jsonencode(local.common-labels)}
+    subjects:
+    - kind: ServiceAccount
+      name: "${var.component}-${var.instance}"
+      namespace: "${var.namespace}"
+    roleRef:
+      kind: ClusterRole
+      name: "${var.namespace}-${var.component}-${var.instance}-list"
+      apiGroup: rbac.authorization.k8s.io
+  EOF
+}