feat: add support for ClusterRole RBAC permissions (#376)

community-tooling · Nov 13, 2024 · 002235e · 002235e
1 parent 8dbd0f7
commit 002235e
Show file tree

Hide file tree

Showing 9 changed files with 77 additions and 16 deletions.
diff --git a/charts/cronjob/Chart.yaml b/charts/cronjob/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: cronjob
 description: Run jobs on a schedule
 type: application
-version: 3.7.2
+version: 3.8.0
 maintainers:
   - name: morremeyer
   - name: ekeih
diff --git a/charts/cronjob/README.md b/charts/cronjob/README.md
@@ -1,6 +1,6 @@
 # cronjob
 
-![Version: 3.7.2](https://img.shields.io/badge/Version-3.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 3.8.0](https://img.shields.io/badge/Version-3.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Run jobs on a schedule
 
@@ -72,9 +72,11 @@ configMap:
 | additionalVolumes | list | `[]` |  |
 | affinity | object | `{}` | affinity object for the pod |
 | annotations | object | `{}` |  |
-| apiAccess | object | `{"enabled":false,"rules":[]}` | Configuration for access to the Kubernetes API |
-| apiAccess.enabled | bool | `false` | When set to true, a Role and RoleBinding are deployed that give access with the rules defined in apiAccess.rules |
-| apiAccess.rules | list | `[]` | Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information |
+| apiAccess | object | `{"clusterRoleRules":[],"enabled":false,"roleRules":[],"rules":[]}` | Configuration for access to the Kubernetes API |
+| apiAccess.clusterRoleRules | list | `[]` | Rules for the ClusterRole the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information |
+| apiAccess.enabled | bool | `false` | DEPRECATED, this is automatically detected by checking if `roleRules` or `clusterRoleRules` are configured. If only `rules` are set, this can be set to false to prevent deployment of the Role and RoleBinding (backwards compatibility). |
+| apiAccess.roleRules | list | `[]` | Rules for the Role the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information |
+| apiAccess.rules | list | `[]` | DEPRECATED, use roleRules. Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information |
 | args | list | `[]` | arguments to pass to the command or binary being run |
 | command | list | `[]` | the command or binary to run |
 | concurrencyPolicy | string | `"Allow"` | The [concurrencyPolicy](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#concurrency-policy) for the CronJob |

diff --git a/charts/cronjob/ci/default-values.yaml b/charts/cronjob/ci/default-values.yaml
@@ -9,3 +9,22 @@ hostAliases:
     hostnames:
       - "foo.local"
       - "bar.local"
+
+apiAccess:
+  # This is ignored since roleRules are set
+  enabled: false
+
+  rules:
+    - apiGroups: [""]
+      resources: ["pods"]
+      verbs: ["get", "list"]
+
+  roleRules:
+    - apiGroups: [""]
+      resources: ["deployments"]
+      verbs: ["get", "list"]
+
+  clusterRoleRules:
+    - apiGroups: [""]
+      resources: ["replicasets"]
+      verbs: ["get", "list"]
diff --git a/charts/cronjob/ci/roles-values.yaml b/charts/cronjob/ci/roles-values.yaml
diff --git a/charts/cronjob/templates/clusterRole.yaml b/charts/cronjob/templates/clusterRole.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.apiAccess.clusterRoleRules }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cronjob.fullname" . }}
+  labels:
+    {{- include "cronjob.labels" . | nindent 4 }}
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+rules: {{ toYaml .Values.apiAccess.clusterRoleRules | nindent 2 }}
+{{- end }}
diff --git a/charts/cronjob/templates/clusterRoleBinding.yaml b/charts/cronjob/templates/clusterRoleBinding.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.apiAccess.clusterRoleRules }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "cronjob.fullname" . }}
+  labels:
+    {{- include "cronjob.labels" . | nindent 4 }}
+    {{- with .Values.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with .Values.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "cronjob.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  apiGroup: ""
+roleRef:
+  kind: ClusterRole
+  name: {{ include "cronjob.fullname" . }}
+  apiGroup: ""
+{{- end }}
diff --git a/charts/cronjob/templates/role.yaml b/charts/cronjob/templates/role.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.apiAccess.enabled }}
+{{- if or (and .Values.apiAccess.enabled .Values.apiAccess.rules)  .Values.apiAccess.roleRules }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@@ -12,5 +12,5 @@ metadata:
     {{- with .Values.annotations }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-rules: {{ toYaml .Values.apiAccess.rules | nindent 2 }}
+rules: {{ toYaml (concat .Values.apiAccess.rules .Values.apiAccess.roleRules) | nindent 2 }}
 {{- end }}
diff --git a/charts/cronjob/templates/roleBinding.yaml b/charts/cronjob/templates/roleBinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.apiAccess.enabled }}
+{{- if or .Values.apiAccess.enabled .Values.apiAccess.roleRules }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:

diff --git a/charts/cronjob/values.yaml b/charts/cronjob/values.yaml
@@ -114,11 +114,17 @@ affinity: {}
 # -- Configuration for access to the Kubernetes API
 apiAccess:
 
-  # -- When set to true, a Role and RoleBinding are deployed that give access with the rules defined in apiAccess.rules
+  # -- DEPRECATED, this is automatically detected by checking if `roleRules` or `clusterRoleRules` are configured. If only `rules` are set, this can be set to false to prevent deployment of the Role and RoleBinding (backwards compatibility).
   enabled: false
 
-  # -- Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information
+  # -- DEPRECATED, use roleRules. Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information
   rules: []
 
+  # -- Rules for the Role the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information
+  roleRules: []
+
+  # -- Rules for the ClusterRole the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information
+  clusterRoleRules: []
+
 # -- [Host Aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/#adding-additional-entries-with-hostaliases)
 hostAliases: []