diff --git a/install/installer/pkg/components/workspace/objects.go b/install/installer/pkg/components/workspace/objects.go index 6dc79e5afc5afd..89f0b3d955187b 100644 --- a/install/installer/pkg/components/workspace/objects.go +++ b/install/installer/pkg/components/workspace/objects.go @@ -9,4 +9,6 @@ import "github.com/gitpod-io/gitpod/installer/pkg/common" var Objects = common.CompositeRenderFunc( networkpolicy, common.DefaultServiceAccount(Component), + role, + rolebinding, ) diff --git a/install/installer/pkg/components/workspace/role.go b/install/installer/pkg/components/workspace/role.go new file mode 100644 index 00000000000000..7b788d3f2d5d4c --- /dev/null +++ b/install/installer/pkg/components/workspace/role.go @@ -0,0 +1,37 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License.AGPL.txt in the project root for license information. + +package workspace + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func role(ctx *common.RenderContext) ([]runtime.Object, error) { + labels := common.DefaultLabels(Component) + + return []runtime.Object{ + &rbacv1.Role{ + TypeMeta: common.TypeMetaRole, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: labels, + }, + Rules: []rbacv1.PolicyRule{ + { + APIGroups: []string{""}, + Resources: []string{"events"}, + Verbs: []string{ + "create", + "patch", + }, + }, + }, + }, + }, nil +} diff --git a/install/installer/pkg/components/workspace/rolebinding.go b/install/installer/pkg/components/workspace/rolebinding.go new file mode 100644 index 00000000000000..a0bd495b9463bd --- /dev/null +++ b/install/installer/pkg/components/workspace/rolebinding.go @@ -0,0 +1,40 @@ +// Copyright (c) 2021 Gitpod GmbH. All rights reserved. +// Licensed under the GNU Affero General Public License (AGPL). +// See License.AGPL.txt in the project root for license information. + +package workspace + +import ( + "github.com/gitpod-io/gitpod/installer/pkg/common" + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { + labels := common.DefaultLabels(Component) + + return []runtime.Object{ + + &rbacv1.RoleBinding{ + TypeMeta: common.TypeMetaRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: Component, + Namespace: ctx.Namespace, + Labels: labels, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: Component, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, + }, + }, + }, + }, nil +}