add rbac rules to make oc work in a backup job

integr8ly · Feb 26, 2019 · 9ceaa3a · 9ceaa3a
1 parent 00a2c6b
commit 9ceaa3a
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 3 deletions.
diff --git a/image/Dockerfile b/image/Dockerfile
@@ -13,7 +13,8 @@ RUN yum --enablerepo=extras install -y epel-release && \
 COPY tools /opt/intly/tools
 RUN chown -R 1001:root /opt/intly
 
-RUN find /opt/intly/tools -type f -exec chmod +x {} \;
+RUN find /opt/intly/tools -type f -exec chmod +x {} \; && \
+    mkdir /.kube && touch /.kube/config && chmod -R 777 /.kube
 
 ENTRYPOINT ["/opt/intly/tools/entrypoint.sh"]
 

diff --git a/templates/openshift/backup-cronjob-template.yaml b/templates/openshift/backup-cronjob-template.yaml
@@ -20,6 +20,7 @@ objects:
               labels:
                 cronjob-name: ${NAME}
             spec:
+              serviceAccountName: backupjob
               containers:
                 - name: backup-cronjob
                   image: "${IMAGE}"
@@ -71,4 +72,4 @@ parameters:
     description: 'Backup docker image URL'
     value: 'quay.io/integreatly/backup-container:master'
   - name: DEBUG
-    description: "Debug flag to sleep the job pod after its execution"
+    description: "Debug flag to sleep the job pod after its execution"
diff --git a/templates/openshift/backup-job-template.yaml b/templates/openshift/backup-job-template.yaml
@@ -19,6 +19,7 @@ objects:
           labels:
             job-name: ${NAME}
         spec:
+          serviceAccountName: backupjob
           containers:
             - name: backup-job
               image: "${IMAGE}"
@@ -67,4 +68,4 @@ parameters:
     description: 'Backup docker image URL'
     value: 'quay.io/integreatly/backup-container:master'
   - name: DEBUG
-    description: "Debug flag to sleep the job pod after its execution"
+    description: "Debug flag to sleep the job pod after its execution"
diff --git a/templates/openshift/rbac/role-binding.yaml b/templates/openshift/rbac/role-binding.yaml
@@ -0,0 +1,9 @@
+apiVersion: authorization.openshift.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backupjob
+roleRef:
+  name: backupjob
+subjects:
+  - kind: ServiceAccount
+    name: backupjob
diff --git a/templates/openshift/rbac/role.yaml b/templates/openshift/rbac/role.yaml
@@ -0,0 +1,12 @@
+apiVersion: authorization.openshift.io/v1
+kind: ClusterRole
+metadata:
+  name: backupjob
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - secrets
+    verbs:
+      - '*'
diff --git a/templates/openshift/rbac/service-account.yaml b/templates/openshift/rbac/service-account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: backupjob