Merge pull request #96 from Bregor/features/rbac

RBAC support

Author: vdice

charts/fluentd/templates/_helpers.tmpl

@@ -0,0 +1,10 @@
+{{/*
+Set apiVersion based on Kubernetes version
+*/}}
+{{- define "rbacAPIVersion" -}}
+{{- if ge .Capabilities.KubeVersion.Minor "6" -}}
+rbac.authorization.k8s.io/v1beta1
+{{- else -}}
+rbac.authorization.k8s.io/v1alpha1
+{{- end -}}
+{{- end -}}

charts/fluentd/templates/logger-fluentd-clusterrole.yaml

@@ -0,0 +1,15 @@
+{{- if (.Values.global.use_rbac) -}}
+{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
+kind: ClusterRole
+apiVersion: {{ template "rbacAPIVersion" . }}
+metadata:
+  name: deis:deis-logger-fluentd
+  labels:
+    app: deis-logger-fluentd
+    heritage: deis
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["list", "get", "watch"]
+{{- end -}}
+{{- end -}}

charts/fluentd/templates/logger-fluentd-clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+{{- if (.Values.global.use_rbac) -}}
+{{- if (.Capabilities.APIVersions.Has (include "rbacAPIVersion" .)) -}}
+kind: ClusterRoleBinding
+apiVersion: {{ template "rbacAPIVersion" . }}
+metadata:
+  name: deis:deis-logger-fluentd
+  labels:
+    app: deis-logger-fluentd
+    heritage: deis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: deis:deis-logger-fluentd
+subjects:
+- kind: ServiceAccount
+  name: deis-logger-fluentd
+  namespace: {{ .Release.Namespace }}
+{{- end -}}
+{{- end -}}

charts/fluentd/values.yaml

@@ -20,11 +20,15 @@ sources:
 
 output:
   disable_deis: false
-  
+
 boot:
   install_build_tools: false
 
 # Any custom fluentd environment variables (https://github.com/deis/fluentd#configuration)
 # can be specified as key-value pairs under daemon_environment.
 daemon_environment:
   #<example-env>: <example-value>
+
+# Role-Based Access Control for Kubernetes >= 1.5
+global:
+  use_rbac: false