Add serviceAccount to DeclarativeCombinedScan Hook

J12934 · J12934 · commit 8707a3f2dceb · 2020-07-20T13:37:21.000+02:00
diff --git a/hooks/declarative-subsequent-scans/templates/declerative-subsequent-scans-hook.yaml b/hooks/declarative-subsequent-scans/templates/declerative-subsequent-scans-hook.yaml
@@ -16,4 +16,5 @@ spec:
   {{- else }}
   image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
   {{- end }}
-  {{- end }}
+  {{- end }}
+  serviceAccountName: declarative-combined-scans
diff --git a/hooks/declarative-subsequent-scans/templates/role-binding.yaml b/hooks/declarative-subsequent-scans/templates/role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  annotations:
+    description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: declarative-combined-scans
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: declarative-combined-scans
+subjects:
+  - kind: ServiceAccount
+    name: declarative-combined-scans
diff --git a/hooks/declarative-subsequent-scans/templates/role.yaml b/hooks/declarative-subsequent-scans/templates/role.yaml
@@ -0,0 +1,29 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  annotations:
+    description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: declarative-combined-scans
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans
+    verbs:
+      - get
+      - create
+  - apiGroups:
+      - execution.experimental.securecodebox.io
+    resources:
+      - scans/status
+    verbs:
+      - get
+      - patch
+  - apiGroups:
+      - cascading.experimental.securecodebox.io
+    resources:
+      - cascadingrules
+    verbs:
+      - get
+      - list
diff --git a/hooks/declarative-subsequent-scans/templates/service-account.yaml b/hooks/declarative-subsequent-scans/templates/service-account.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  annotations:
+    description: DeclarativeCombinedScansHooks needs to have the rights to create new scans and the usual patch rules to update the scan status
+  name: declarative-combined-scans
+  namespace: {{ .Release.Namespace }}
