diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 28ed630..c49f7bc 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -14,6 +14,9 @@ spec: labels: {{- include "antigravity.labels" . | nindent 8 }} spec: + {{- if ne (.Values.clusterAccess | default "none") "none" }} + serviceAccountName: {{ include "antigravity.fullname" . }} + {{- end }} securityContext: fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml new file mode 100644 index 0000000..cf9c4de --- /dev/null +++ b/chart/templates/rbac.yaml @@ -0,0 +1,97 @@ +{{- $access := .Values.clusterAccess | default "none" }} +{{- $name := include "antigravity.fullname" . }} +{{- $ns := .Release.Namespace }} +{{- $labels := include "antigravity.labels" . }} + +{{- if ne $access "none" }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $name }} + namespace: {{ $ns }} + labels: + {{- $labels | nindent 4 }} + +{{- if or (eq $access "readonlyns") (eq $access "readwritens") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $name }} + namespace: {{ $ns }} + labels: + {{- $labels | nindent 4 }} +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: + {{- if eq $access "readonlyns" }} + - get + - list + - watch + {{- else }} + - "*" + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $name }} + namespace: {{ $ns }} + labels: + {{- $labels | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ $ns }} +roleRef: + kind: Role + name: {{ $name }} + apiGroup: rbac.authorization.k8s.io +{{- end }} + +{{- if or (eq $access "readonly") (eq $access "readwrite") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ $name }} + labels: + {{- $labels | nindent 4 }} +rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: + {{- if eq $access "readonly" }} + - get + - list + - watch + {{- else }} + - "*" + {{- end }} + - nonResourceURLs: ["*"] + verbs: + {{- if eq $access "readonly" }} + - get + {{- else }} + - "*" + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $name }} + labels: + {{- $labels | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ $name }} + namespace: {{ $ns }} +roleRef: + kind: ClusterRole + name: {{ $name }} + apiGroup: rbac.authorization.k8s.io +{{- end }} + +{{- end }} diff --git a/chart/values.yaml b/chart/values.yaml index ebcc1f8..19b8281 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -38,6 +38,15 @@ resources: memory: "8Gi" cpu: "4000m" +# Kubernetes cluster access granted to the devcontainer pod via RBAC. +# Options: +# none — no cluster access (default) +# readonlyns — get/list/watch all resources in the release namespace +# readwritens — full access to all resources in the release namespace +# readonly — get/list/watch all resources cluster-wide +# readwrite — full access to all resources cluster-wide +clusterAccess: none + # Name of existing Secret containing env vars (GITHUB_TOKEN, VNC_PASSWORD, etc.) # Defaults to: devcontainer-{name}-secrets-env envSecretName: ""