From a5fe7fb04a4101f31d08a63d3ad4270509e82253 Mon Sep 17 00:00:00 2001 From: Morre Date: Wed, 13 Nov 2024 14:34:41 +0100 Subject: [PATCH] feat: add support for ClusterRole RBAC permissions --- charts/cronjob/Chart.yaml | 2 +- charts/cronjob/README.md | 10 ++++---- charts/cronjob/ci/default-values.yaml | 19 +++++++++++++++ charts/cronjob/ci/roles-values.yaml | 6 ----- charts/cronjob/templates/clusterRole.yaml | 16 +++++++++++++ .../cronjob/templates/clusterRoleBinding.yaml | 24 +++++++++++++++++++ charts/cronjob/templates/role.yaml | 4 ++-- charts/cronjob/templates/roleBinding.yaml | 2 +- charts/cronjob/values.yaml | 10 ++++++-- 9 files changed, 77 insertions(+), 16 deletions(-) delete mode 100644 charts/cronjob/ci/roles-values.yaml create mode 100644 charts/cronjob/templates/clusterRole.yaml create mode 100644 charts/cronjob/templates/clusterRoleBinding.yaml diff --git a/charts/cronjob/Chart.yaml b/charts/cronjob/Chart.yaml index 566e65e0..e83c874b 100644 --- a/charts/cronjob/Chart.yaml +++ b/charts/cronjob/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: cronjob description: Run jobs on a schedule type: application -version: 3.7.2 +version: 3.8.0 maintainers: - name: morremeyer - name: ekeih diff --git a/charts/cronjob/README.md b/charts/cronjob/README.md index ac65d162..ea6dbcd8 100644 --- a/charts/cronjob/README.md +++ b/charts/cronjob/README.md @@ -1,6 +1,6 @@ # cronjob -![Version: 3.7.2](https://img.shields.io/badge/Version-3.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![Version: 3.8.0](https://img.shields.io/badge/Version-3.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) Run jobs on a schedule @@ -72,9 +72,11 @@ configMap: | additionalVolumes | list | `[]` | | | affinity | object | `{}` | affinity object for the pod | | annotations | object | `{}` | | -| apiAccess | object | `{"enabled":false,"rules":[]}` | Configuration for access to the Kubernetes API | -| apiAccess.enabled | bool | `false` | When set to true, a Role and RoleBinding are deployed that give access with the rules defined in apiAccess.rules | -| apiAccess.rules | list | `[]` | Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information | +| apiAccess | object | `{"clusterRoleRules":[],"enabled":false,"roleRules":[],"rules":[]}` | Configuration for access to the Kubernetes API | +| apiAccess.clusterRoleRules | list | `[]` | Rules for the ClusterRole the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information | +| apiAccess.enabled | bool | `false` | DEPRECATED, this is automatically detected by checking if `roleRules` or `clusterRoleRules` are configured. If only `rules` are set, this can be set to false to prevent deployment of the Role and RoleBinding (backwards compatibility). | +| apiAccess.roleRules | list | `[]` | Rules for the Role the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information | +| apiAccess.rules | list | `[]` | DEPRECATED, use roleRules. Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information | | args | list | `[]` | arguments to pass to the command or binary being run | | command | list | `[]` | the command or binary to run | | concurrencyPolicy | string | `"Allow"` | The [concurrencyPolicy](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#concurrency-policy) for the CronJob | diff --git a/charts/cronjob/ci/default-values.yaml b/charts/cronjob/ci/default-values.yaml index ce42e079..c0095c3f 100644 --- a/charts/cronjob/ci/default-values.yaml +++ b/charts/cronjob/ci/default-values.yaml @@ -9,3 +9,22 @@ hostAliases: hostnames: - "foo.local" - "bar.local" + +apiAccess: + # This is ignored since roleRules are set + enabled: false + + rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + + roleRules: + - apiGroups: [""] + resources: ["deployments"] + verbs: ["get", "list"] + + clusterRoleRules: + - apiGroups: [""] + resources: ["replicasets"] + verbs: ["get", "list"] diff --git a/charts/cronjob/ci/roles-values.yaml b/charts/cronjob/ci/roles-values.yaml deleted file mode 100644 index 599227dc..00000000 --- a/charts/cronjob/ci/roles-values.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiAccess: - enabled: true - rules: - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list"] diff --git a/charts/cronjob/templates/clusterRole.yaml b/charts/cronjob/templates/clusterRole.yaml new file mode 100644 index 00000000..8defdad7 --- /dev/null +++ b/charts/cronjob/templates/clusterRole.yaml @@ -0,0 +1,16 @@ +{{- if .Values.apiAccess.clusterRoleRules }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "cronjob.fullname" . }} + labels: + {{- include "cronjob.labels" . | nindent 4 }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +rules: {{ toYaml .Values.apiAccess.clusterRoleRules | nindent 2 }} +{{- end }} diff --git a/charts/cronjob/templates/clusterRoleBinding.yaml b/charts/cronjob/templates/clusterRoleBinding.yaml new file mode 100644 index 00000000..5bcc4c06 --- /dev/null +++ b/charts/cronjob/templates/clusterRoleBinding.yaml @@ -0,0 +1,24 @@ +{{- if .Values.apiAccess.clusterRoleRules }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "cronjob.fullname" . }} + labels: + {{- include "cronjob.labels" . | nindent 4 }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "cronjob.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + apiGroup: "" +roleRef: + kind: ClusterRole + name: {{ include "cronjob.fullname" . }} + apiGroup: "" +{{- end }} diff --git a/charts/cronjob/templates/role.yaml b/charts/cronjob/templates/role.yaml index ffc9b2e7..825fdf56 100644 --- a/charts/cronjob/templates/role.yaml +++ b/charts/cronjob/templates/role.yaml @@ -1,4 +1,4 @@ -{{- if .Values.apiAccess.enabled }} +{{- if or (and .Values.apiAccess.enabled .Values.apiAccess.rules) .Values.apiAccess.roleRules }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -12,5 +12,5 @@ metadata: {{- with .Values.annotations }} {{- toYaml . | nindent 4 }} {{- end }} -rules: {{ toYaml .Values.apiAccess.rules | nindent 2 }} +rules: {{ toYaml (concat .Values.apiAccess.rules .Values.apiAccess.roleRules) | nindent 2 }} {{- end }} diff --git a/charts/cronjob/templates/roleBinding.yaml b/charts/cronjob/templates/roleBinding.yaml index fe220ca7..f889b553 100644 --- a/charts/cronjob/templates/roleBinding.yaml +++ b/charts/cronjob/templates/roleBinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.apiAccess.enabled }} +{{- if or .Values.apiAccess.enabled .Values.apiAccess.roleRules }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: diff --git a/charts/cronjob/values.yaml b/charts/cronjob/values.yaml index 1d57f6b3..afc947fe 100644 --- a/charts/cronjob/values.yaml +++ b/charts/cronjob/values.yaml @@ -114,11 +114,17 @@ affinity: {} # -- Configuration for access to the Kubernetes API apiAccess: - # -- When set to true, a Role and RoleBinding are deployed that give access with the rules defined in apiAccess.rules + # -- DEPRECATED, this is automatically detected by checking if `roleRules` or `clusterRoleRules` are configured. If only `rules` are set, this can be set to false to prevent deployment of the Role and RoleBinding (backwards compatibility). enabled: false - # -- Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information + # -- DEPRECATED, use roleRules. Rules for the API access of the ServiceAccount used by the CronJob pods. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information rules: [] + # -- Rules for the Role the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information + roleRules: [] + + # -- Rules for the ClusterRole the the pods are bound to. Check [the documentation](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole) for more information + clusterRoleRules: [] + # -- [Host Aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/#adding-additional-entries-with-hostaliases) hostAliases: []