github.com/replicatedcom/ship@v0.50.0/integration/init/istio-1.0.3/expected/.ship/upstream/charts/security/templates/create-custom-resources-job.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: istio-security-post-install-account 5 namespace: {{ .Release.Namespace }} 6 labels: 7 app: istio-security 8 chart: {{ .Chart.Name }}-{{ .Chart.Version }} 9 heritage: {{ .Release.Service }} 10 release: {{ .Release.Name }} 11 --- 12 apiVersion: rbac.authorization.k8s.io/v1beta1 13 kind: ClusterRole 14 metadata: 15 name: istio-security-post-install-{{ .Release.Namespace }} 16 labels: 17 app: istio-security 18 chart: {{ .Chart.Name }}-{{ .Chart.Version }} 19 heritage: {{ .Release.Service }} 20 release: {{ .Release.Name }} 21 rules: 22 - apiGroups: ["authentication.istio.io"] # needed to create default authn policy 23 resources: ["*"] 24 verbs: ["*"] 25 - apiGroups: ["networking.istio.io"] # needed to create security destination rules 26 resources: ["*"] 27 verbs: ["*"] 28 - apiGroups: ["admissionregistration.k8s.io"] 29 resources: ["validatingwebhookconfigurations"] 30 verbs: ["get"] 31 - apiGroups: ["extensions"] 32 resources: ["deployments", "replicasets"] 33 verbs: ["get", "list", "watch"] 34 --- 35 apiVersion: rbac.authorization.k8s.io/v1beta1 36 kind: ClusterRoleBinding 37 metadata: 38 name: istio-security-post-install-role-binding-{{ .Release.Namespace }} 39 labels: 40 app: istio-security 41 chart: {{ .Chart.Name }}-{{ .Chart.Version }} 42 heritage: {{ .Release.Service }} 43 release: {{ .Release.Name }} 44 roleRef: 45 apiGroup: rbac.authorization.k8s.io 46 kind: ClusterRole 47 name: istio-security-post-install-{{ .Release.Namespace }} 48 subjects: 49 - kind: ServiceAccount 50 name: istio-security-post-install-account 51 namespace: {{ .Release.Namespace }} 52 --- 53 54 apiVersion: batch/v1 55 kind: Job 56 metadata: 57 name: istio-security-post-install 58 namespace: {{ .Release.Namespace }} 59 annotations: 60 "helm.sh/hook": post-install 61 "helm.sh/hook-delete-policy": hook-succeeded 62 labels: 63 app: istio-security 64 chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} 65 release: {{ .Release.Name }} 66 heritage: {{ .Release.Service }} 67 spec: 68 template: 69 metadata: 70 name: istio-security-post-install 71 labels: 72 app: istio-security 73 release: {{ .Release.Name }} 74 spec: 75 serviceAccountName: istio-security-post-install-account 76 containers: 77 - name: hyperkube 78 image: "{{ .Values.global.hyperkube.hub }}/hyperkube:{{ .Values.global.hyperkube.tag }}" 79 command: [ "/bin/bash", "/tmp/security/run.sh", "/tmp/security/custom-resources.yaml" ] 80 volumeMounts: 81 - mountPath: "/tmp/security" 82 name: tmp-configmap-security 83 volumes: 84 - name: tmp-configmap-security 85 configMap: 86 name: istio-security-custom-resources 87 restartPolicy: OnFailure