search

clockworksoul / helm-elasticsearch

An Elasticsearch cluster on top of Kubernetes, made easier, with Helm.
Apache License 2.0
118 stars 76 forks source link

Add RBAC #25

Open clockworksoul opened 7 years ago

clockworksoul commented 7 years ago

Pointed out over at https://github.com/pires/kubernetes-elasticsearch-cluster/issues/140.

Per that issue:

RBAC is now default and will be much more prominent in kube 1.8. Can you provide the RBAC yaml for this elastic search cluster?

This should include a version conditional however, so that the installation doesn't fail if RBAC is not enabled.

sagikazarmark commented 7 years ago

I would probably provide an opt-in for those who are still on k8s <1.8 and use RBAC.

clockworksoul commented 7 years ago

My working version includes the following values: 

# If RBAC is enabled, a ClusterRole and ClusterRoleBinding will be created.
rbac:
  enabled: false

  # RBAC API version (currently v1, v1beta1, v1alpha1)
  apiVersion: "v1beta1"

Is this the kind of thing you have in mind?

mikn commented 7 years ago

@clockworksoul I would recommend using a method similar to the one used here: https://github.com/clockworksoul/helm-elasticsearch/blob/master/templates/_helpers.tpl#L21 to detect the version to use, rather than having the user themselves specify the intended API version. :) Or even better, you could use the example here: https://docs.helm.sh/chart_template_guide/#built-in-objects and do something like:

{{ if Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }}
$rbacApiVersion := "rbac.authorization.k8s.io/v1"
[...]

etc. I have however never tried this myself, but it seems like a very canonical way of doing it.

clockworksoul commented 7 years ago

@mikn Thanks! I'll do exactly that!