feat: add rbac to helm values

flanksource · Dec 29, 2023 · df1d1f8 · df1d1f8
1 parent c250a7f
commit df1d1f8
Show file tree

Hide file tree

Showing 3 changed files with 84 additions and 25 deletions.
diff --git a/chart/templates/clusterrole.yaml b/chart/templates/clusterrole.yaml
@@ -1,8 +1,53 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role"
 metadata:
   name: {{ include "canary-checker.name" . }}-role
 rules:
+  {{- if .Values.serviceAccount.rbac.secrets}}
+  - apiGroups: 
+      - v1
+    resources: 
+      - secrets
+    verbs:
+      - get
+      - list
+  {{- end}}
+  {{- if .Values.serviceAccount.rbac.configmaps}}
+  - apiGroups: 
+      - v1
+    resources: 
+      - configmaps
+    verbs:
+      - get
+      - list
+  {{- end}}
+  {{- if .Values.serviceAccount.rbac.exec}}
+  - apiGroups: [""]
+    resources:
+      - pods/attach
+      - pods/exec
+      - pods/log
+    verbs:
+      - '*'
+  {{- end}}
+  {{- if .Values.serviceAccount.rbac.tokenRequest}}
+  - apiGroups:
+      - authentication.k8s.io/v1
+    resources:
+      - serviceaccounts/token
+    verbs:
+      - create
+  {{- end}}
+  {{- if .Values.serviceAccount.rbac.readAll}}
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - list
+      - get
+      - watch
+  {{- end}}
   - apiGroups:
       - canaries.flanksource.com
     resources:
@@ -25,6 +70,7 @@ rules:
       - get
       - patch
       - update
+  {{- if .Values.serviceAccount.rbac.podsCreateAndDelete}}
   # for creating and destroying pods during the pod canary test
   - apiGroups:
       - ""
@@ -34,46 +80,40 @@ rules:
       - services
     verbs:
       - "*"
+  {{- end}}
+  {{- if .Values.serviceAccount.rbac.ingressCreateAndDelete }}
   - apiGroups:
-      - "metrics.k8s.io"
+      - "networking.k8s.io/v1"
     resources:
-      - pods
-      - nodes
+      - ingresses
     verbs:
       - "*"
-  # for getting the  XML results from junit tests
   - apiGroups:
-      - ""
+      - "extensions"
     resources:
-      - pods/exec
-      - pods/log
+      - ingresses
     verbs:
       - "*"
+  {{- end}}
+  {{- if .Values.serviceAccount.rbac.namespaceCreateAndDelete }}
   - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - get
-      - list
-  - apiGroups:
-      - "networking.k8s.io"
+      - "v1"
     resources:
-      - ingresses
+      - namespaces
     verbs:
       - "*"
+  {{- end}}
   - apiGroups:
-      - "extensions"
+      - "metrics.k8s.io"
     resources:
-      - ingresses
+      - pods
+      - nodes
     verbs:
       - "*"
-  # for reading configuration from canaries
   - apiGroups:
       - ""
     resources:
-      - secrets
-      - configmaps
+      - nodes
     verbs:
       - get
       - list

diff --git a/chart/templates/clusterrolebinding.yaml b/chart/templates/clusterrolebinding.yaml
@@ -1,10 +1,10 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}RoleBinding"
 metadata:
   name: {{ include "canary-checker.fullname" . }}-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role"
   name: {{ include "canary-checker.name" . }}-role
 subjects:
   - kind: ServiceAccount

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -135,10 +135,29 @@ resources:
     memory: 2Gi
 
 serviceAccount:
-  {}
   # Configures extra annotations on the service account
   # annotations:
   #   some: annotation
+  rbac:
+    # Whether to create cluster-wide or namespaced roles
+    cluster_role: false
+
+    # for secret management with valueFrom
+    tokenRequest: true
+    secrets: true
+    configmaps: true
+
+    # for use with kubernetes resource lookups
+    readAll: true
+
+    # for pod and junit canaries
+    podsCreateAndDelete: true
+
+    # for pod canary
+    ingressCreateAndDelete: true
+
+    # for namespace canary
+    namespaceCreateAndDelete: true
 
 disableChecks: {}