github.com/koderover/helm@v2.17.0+incompatible/docs/chart_best_practices/rbac.md

github.com/koderover/helm@v2.17.0+incompatible/docs/chart_best_practices/rbac.md (about)

     1  # Role-Based Access Control
     2  
     3  This part of the Best Practices Guide discusses the creation and formatting of RBAC resources in chart manifests.
     4  
     5  RBAC resources are:
     6  
     7  - ServiceAccount (namespaced)
     8  - Role (namespaced)
     9  - ClusterRole 
    10  - RoleBinding (namespaced)
    11  - ClusterRoleBinding
    12  
    13  ## YAML Configuration
    14  
    15  RBAC and ServiceAccount configuration should happen under separate keys. They are separate things. Splitting these two concepts out in the YAML disambiguates them and make this clearer.
    16  
    17  ```yaml
    18  rbac:
    19    # Specifies whether RBAC resources should be created
    20    create: true
    21  
    22  serviceAccount:
    23    # Specifies whether a ServiceAccount should be created
    24    create: true
    25    # The name of the ServiceAccount to use.
    26    # If not set and create is true, a name is generated using the fullname template
    27    name:
    28  ```
    29  
    30  This structure can be extended for more complex charts that require multiple ServiceAccounts.
    31  
    32  ```yaml
    33  serviceAccounts:
    34    client:
    35      create: true
    36      name:
    37    server: 
    38      create: true
    39      name:
    40  ```
    41  
    42  ## RBAC Resources Should be Created by Default
    43  
    44  `rbac.create` should be a boolean value controlling whether RBAC resources are created.  The default should be `true`.  Users who wish to manage RBAC access controls themselves can set this value to `false` (in which case see below).
    45  
    46  ## Using RBAC Resources
    47  
    48  `serviceAccount.name` should set to the name of the ServiceAccount to be used by access-controlled resources created by the chart.  If `serviceAccount.create` is true, then a ServiceAccount with this name should be created.  If the name is not set, then a name is generated using the `fullname` template, If `serviceAccount.create` is false, then it should not be created, but it should still be associated with the same resources so that manually-created RBAC resources created later that reference it will function correctly.  If `serviceAccount.create` is false and the name is not specified, then the default ServiceAccount is used.
    49  
    50  The following helper template should be used for the ServiceAccount.
    51  
    52  ```yaml
    53  {{/*
    54  Create the name of the service account to use
    55  */}}
    56  {{- define "mychart.serviceAccountName" -}}
    57  {{- if .Values.serviceAccount.create -}}
    58      {{ default (include "mychart.fullname" .) .Values.serviceAccount.name }}
    59  {{- else -}}
    60      {{ default "default" .Values.serviceAccount.name }}
    61  {{- end -}}
    62  {{- end -}}
    63  ```