Add the rbac policy to give the brokers permissions to deploy functions #6143
Description
It is possible to set the Functions environment as Kubernetes so that they can be scheduled and run in a pod. First, the broker should have a serviceAccountName set. Second, in order for the broker to deploy functions it needs to have rbac policy set. Currently, one would need to create a yaml object definition file and apply it manually. It would be great to have that file already in the deployment folder.
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: functions-worker
rules:
- apiGroups: [""]
resources:
- services
- configmaps
- pods
verbs:
- '*'
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- '*'
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: functions-worker
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: functions-worker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: functions-worker
subjects:
- kind: ServiceAccount
name: functions-worker
namespace: pulsar
It would also be great to add a flag functions_rbac to helm charts so the configuration from above could be written as a template and the deployment more streamlined.