Update RBAC best practices

helm · Jan 27, 2018 · cbea403 · cbea403
1 parent 28b05b8
commit cbea403
Showing 1 changed file with 44 additions and 9 deletions.
diff --git a/docs/chart_best_practices/rbac.md b/docs/chart_best_practices/rbac.md
@@ -10,19 +10,54 @@ RBAC resources are:
 - RoleBinding (namespaced)
 - ClusterRoleBinding
 
-## RBAC-related values
-
-RBAC-related values in a chart should be namespaced under an `rbac` top-level key.  At a minimum this key should contain these sub-keys (explained below):
-
-- `create`
-- `serviceAccountName`
-
-Other keys under `rbac` may also be listed and used as well.
+## YAML Configuration
+
+RBAC and ServiceAccount configuration should happen under separate keys. They are separate things. Splitting these two concepts out in the YAML disambiguates them and make this clearer.
+
+```yaml
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+```
+
+This structure can be extended for more complex charts that require multiple ServiceAccounts.
+
+```yaml
+serviceAccounts:
+  client:
+    create: true
+    name:
+  server: 
+    create: true
+    name:
+```
 
 ## RBAC Resources Should be Created by Default
 
 `rbac.create` should be a boolean value controlling whether RBAC resources are created.  The default should be `true`.  Users who wish to manage RBAC access controls themselves can set this value to `false` (in which case see below).
 
 ## Using RBAC Resources
 
-`rbac.serviceAccountName` should set the name of the ServiceAccount to be used by access-controlled resources created by the chart.  If `rbac.create` is true, then a ServiceAccount with this name should be created.  If `rbac.create` is false, then it should not be created, but it should still be associated with the same resources so that manually-created RBAC resources created later that reference it will function correctly.  (Note that this effectively makes `rbac.serviceAccountName` a required value in these charts.)
+`serviceAccount.name` should set to the name of the ServiceAccount to be used by access-controlled resources created by the chart.  If `serviceAccount.create` is true, then a ServiceAccount with this name should be created.  If the name is not set, then a name is generated using the `fullname` template, If `serviceAccount.create` is false, then it should not be created, but it should still be associated with the same resources so that manually-created RBAC resources created later that reference it will function correctly.  If `serviceAccount.create` is false and the name is not specified, then the default ServiceAccount is used.
+
+The following helper template should be used for the ServiceAccount.
+
+```yaml
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "mychart.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "mychart.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+```