-
Notifications
You must be signed in to change notification settings - Fork 10
/
resources.go
68 lines (62 loc) · 2.64 KB
/
resources.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
package hardened
import (
"github.com/rancher/helm-project-operator/pkg/controllers/common"
corev1 "k8s.io/api/core/v1"
networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// Note: each resource created here should have a resolver set in resolvers.go
// The only exception is namespaces since those are handled by the main controller OnChange
var (
defaultServiceAccountName = "default"
defaultAutomountServiceAccountToken = false // ensures that all pods need to have service account attached to get permissions
defaultNetworkPolicyName = "hpo-generated-default"
defaultNetworkPolicySpec = networkingv1.NetworkPolicySpec{
PodSelector: metav1.LabelSelector{}, // select all pods
Ingress: []networkingv1.NetworkPolicyIngressRule{}, // networking policy limits all ingress
Egress: []networkingv1.NetworkPolicyEgressRule{}, // network limits all egress
PolicyTypes: []networkingv1.PolicyType{"Ingress", "Egress"}, // applies to both ingress and egress
}
)
// getDefaultServiceAccount returns the default service account configured for this Helm Project Operated namespace
func (h *handler) getDefaultServiceAccount(namespace *corev1.Namespace) *corev1.ServiceAccount {
serviceAccount := &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: defaultServiceAccountName,
Namespace: namespace.Name,
Labels: map[string]string{
common.HelmProjectOperatedLabel: "true",
},
},
AutomountServiceAccountToken: &defaultAutomountServiceAccountToken,
}
if h.opts.ServiceAccount != nil {
if h.opts.ServiceAccount.Secrets != nil {
serviceAccount.Secrets = h.opts.ServiceAccount.Secrets
}
if h.opts.ServiceAccount.ImagePullSecrets != nil {
serviceAccount.ImagePullSecrets = h.opts.ServiceAccount.ImagePullSecrets
}
if h.opts.ServiceAccount.AutomountServiceAccountToken != nil {
serviceAccount.AutomountServiceAccountToken = h.opts.ServiceAccount.AutomountServiceAccountToken
}
}
return serviceAccount
}
// getNetworkPolicy returns the default Helm Project Operator generated NetworkPolicy configured for this Helm Project Operated namespace
func (h *handler) getNetworkPolicy(namespace *corev1.Namespace) *networkingv1.NetworkPolicy {
networkPolicy := &networkingv1.NetworkPolicy{
ObjectMeta: metav1.ObjectMeta{
Name: defaultNetworkPolicyName,
Namespace: namespace.Name,
Labels: map[string]string{
common.HelmProjectOperatedLabel: "true",
},
},
Spec: defaultNetworkPolicySpec,
}
if h.opts.NetworkPolicy != nil {
networkPolicy.Spec = networkingv1.NetworkPolicySpec(*h.opts.NetworkPolicy)
}
return networkPolicy
}