helm-elasticsearch icon indicating copy to clipboard operation
helm-elasticsearch copied to clipboard

Published 20 hours ago verified publisher icon clockworksoul

Add RBAC

Open clockworksoul opened this issue 6 years ago • 4 comments

Pointed out over at https://github.com/pires/kubernetes-elasticsearch-cluster/issues/140.

Per that issue:

RBAC is now default and will be much more prominent in kube 1.8. Can you provide the RBAC yaml for this elastic search cluster?

This should include a version conditional however, so that the installation doesn't fail if RBAC is not enabled.

clockworksoul avatar Nov 18 '17 20:11 clockworksoul

I would probably provide an opt-in for those who are still on k8s <1.8 and use RBAC.

sagikazarmark avatar Nov 19 '17 08:11 sagikazarmark

My working version includes the following values:

# If RBAC is enabled, a ClusterRole and ClusterRoleBinding will be created.
rbac:
  enabled: false

  # RBAC API version (currently v1, v1beta1, v1alpha1)
  apiVersion: "v1beta1"

Is this the kind of thing you have in mind?

clockworksoul avatar Nov 19 '17 15:11 clockworksoul

@clockworksoul I would recommend using a method similar to the one used here: https://github.com/clockworksoul/helm-elasticsearch/blob/master/templates/_helpers.tpl#L21 to detect the version to use, rather than having the user themselves specify the intended API version. :) Or even better, you could use the example here: https://docs.helm.sh/chart_template_guide/#built-in-objects and do something like:

{{ if Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
$rbacApiVersion := "rbac.authorization.k8s.io/v1"
[...]

etc. I have however never tried this myself, but it seems like a very canonical way of doing it.

mikn avatar Nov 19 '17 16:11 mikn

@mikn Thanks! I'll do exactly that!

clockworksoul avatar Nov 19 '17 17:11 clockworksoul