From 207bab7e7639729daf131c16b2a17deb6e888adc Mon Sep 17 00:00:00 2001 From: Jirka Kremser <535866+jkremser@users.noreply.github.com> Date: Mon, 15 Apr 2024 17:16:33 +0200 Subject: [PATCH] More secure rbac (#625) Signed-off-by: Jirka Kremser Signed-off-by: Jirka Kremser <535866+jkremser@users.noreply.github.com> Co-authored-by: Jan Wozniak --- .gitignore | 8 ++ keda/README.md | 29 +++-- keda/templates/NOTES.txt | 7 + keda/templates/manager/clusterrole.yaml | 71 ++++------ .../manager/clusterrolebindings.yaml | 49 +++++++ keda/templates/manager/deployment.yaml | 7 +- keda/templates/manager/minimal-rbac.yaml | 121 ++++++++++++++++++ .../manager/poddisruptionbudget.yaml | 2 +- keda/templates/manager/role.yaml | 37 ------ keda/templates/manager/rolebinding.yaml | 22 ---- .../{ => manager}/serviceaccount.yaml | 14 +- .../metrics-server/clusterrolebinding.yaml | 5 +- keda/templates/metrics-server/deployment.yaml | 4 +- .../metrics-server/serviceaccount.yaml | 18 +++ keda/templates/webhooks/clusterrole.yaml | 43 +++++++ .../clusterrolebindings.yaml} | 10 +- keda/templates/webhooks/deployment.yaml | 4 +- .../webhooks/poddisruptionbudget.yaml | 2 +- keda/templates/webhooks/serviceaccount.yaml | 18 +++ keda/values.yaml | 53 ++++++-- 20 files changed, 381 insertions(+), 143 deletions(-) create mode 100644 .gitignore create mode 100644 keda/templates/manager/clusterrolebindings.yaml create mode 100644 keda/templates/manager/minimal-rbac.yaml delete mode 100644 keda/templates/manager/role.yaml delete mode 100644 keda/templates/manager/rolebinding.yaml rename keda/templates/{ => manager}/serviceaccount.yaml (69%) create mode 100644 keda/templates/metrics-server/serviceaccount.yaml create mode 100644 keda/templates/webhooks/clusterrole.yaml rename keda/templates/{manager/clusterrolebinding.yaml => webhooks/clusterrolebindings.yaml} (61%) create mode 100644 keda/templates/webhooks/serviceaccount.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..a7b80e1e --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +# IDE specific files +.vscode +.idea +*.swp +*.swo + +# Mac +.DS_Store diff --git a/keda/README.md b/keda/README.md index 342cc0e0..3957ae81 100644 --- a/keda/README.md +++ b/keda/README.md @@ -21,7 +21,7 @@ helm repo add kedacore https://kedacore.github.io/charts helm repo update kubectl create namespace keda -helm install keda kedacore/keda --namespace keda --version 2.13.0 +helm install keda kedacore/keda --namespace keda --version 2.13.1 ``` ## Introduction @@ -36,7 +36,7 @@ To install the chart with the release name `keda`: ```console $ kubectl create namespace keda -$ helm install keda kedacore/keda --namespace keda --version 2.13.0 +$ helm install keda kedacore/keda --namespace keda --version 2.13.1 ``` ## Uninstalling the Chart @@ -111,11 +111,10 @@ their default values. | `priorityClassName` | string | `""` | priorityClassName for all KEDA components | | `rbac.aggregateToDefaultRoles` | bool | `false` | Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) | | `rbac.create` | bool | `true` | Specifies whether RBAC should be used | +| `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether RBAC for configured CRDs that can have a `scale` subresource should be created | +| `rbac.scaledRefKinds` | string | `nil` | List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. The feature needs to be also enabled by `enabledCustomScaledRefKinds`. If left empty, RBAC for `apiGroups: *` and `resources: */scale` will be created. +note: `Deployments` and `StatefulSets` are always enabled | | `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | -| `serviceAccount.annotations` | object | `{}` | Annotations to add to the service account | -| `serviceAccount.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | -| `serviceAccount.create` | bool | `true` | Specifies whether a service account should be created | -| `serviceAccount.name` | string | `"keda-operator"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | | `watchNamespace` | string | `""` | Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces | @@ -129,6 +128,7 @@ their default values. | `image.keda.tag` | string | `""` | Image tag of KEDA operator. Optional, given app version of Helm chart is used by default | | `logging.operator.format` | string | `"console"` | Logging format for KEDA Operator. allowed values: `json` or `console` | | `logging.operator.level` | string | `"info"` | Logging level for KEDA Operator. allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string | +| `logging.operator.stackTracesEnabled` | bool | `false` | If enabled, the stack traces will be also printed | | `logging.operator.timeEncoding` | string | `"rfc3339"` | Logging time encoding for KEDA Operator. allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` | | `operator.affinity` | object | `{}` | [Affinity] for pod scheduling for KEDA operator. Takes precedence over the `affinity` field | | `operator.disableCompression` | bool | `true` | Disable response compression for k8s restAPI in client-go. Disabling compression simply means that turns off the process of making data smaller for K8s restAPI in client-go for faster transmission. | @@ -139,13 +139,18 @@ their default values. | `operator.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | | `operator.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA operator. While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). | | `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | -| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator | +| `permissions.operator.restrict.namesAllowList` | list | `[]` | Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account also the configured `watchNamespace`. the default is an empty array -> no restriction on the secret name | +| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace | | `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator | | `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] | | `podLabels.keda` | object | `{}` | Pod labels for KEDA operator | | `podSecurityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA operator pod | | `resources.operator` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA operator pod | | `securityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the operator container | +| `serviceAccount.operator.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.operator.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | +| `serviceAccount.operator.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.operator.name` | string | `"keda-operator"` | The name of the service account to use. | | `topologySpreadConstraints.operator` | list | `[]` | [Pod Topology Constraints] of KEDA operator pod | | `upgradeStrategy.operator` | object | `{}` | Capability to configure [Deployment upgrade strategy] for operator | | `volumes.keda.extraVolumeMounts` | list | `[]` | Extra volume mounts for KEDA deployment | @@ -180,6 +185,10 @@ their default values. | `service.portHttps` | int | `443` | HTTPS port for KEDA Metric Server service | | `service.portHttpsTarget` | int | `6443` | HTTPS port for KEDA Metric Server container | | `service.type` | string | `"ClusterIP"` | KEDA Metric Server service type | +| `serviceAccount.metricServer.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.metricServer.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | +| `serviceAccount.metricServer.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.metricServer.name` | string | `"keda-metrics-server"` | The name of the service account to use. | | `topologySpreadConstraints.metricsServer` | list | `[]` | [Pod Topology Constraints] of KEDA metrics apiserver pod | | `upgradeStrategy.metricsApiServer` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Metrics Api Server | | `volumes.metricsApiServer.extraVolumeMounts` | list | `[]` | Extra volume mounts for metric server deployment | @@ -288,8 +297,12 @@ their default values. | `podDisruptionBudget.webhooks` | object | `{}` | Capability to configure [Pod Disruption Budget] | | `podLabels.webhooks` | object | `{}` | Pod labels for KEDA Admission webhooks | | `podSecurityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA admission webhooks | -| `resources.webhooks` | object | `{"limits":{"cpu":"50m","memory":"100Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}` | Manage [resource request & limits] of KEDA admission webhooks pod | +| `resources.webhooks` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA admission webhooks pod | | `securityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the admission webhooks container | +| `serviceAccount.webhooks.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.webhooks.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | +| `serviceAccount.webhooks.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.webhooks.name` | string | `"keda-webhook"` | The name of the service account to use. | | `topologySpreadConstraints.webhooks` | list | `[]` | [Pod Topology Constraints] of KEDA admission webhooks pod | | `upgradeStrategy.webhooks` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Admission webhooks | | `volumes.webhooks.extraVolumeMounts` | list | `[]` | Extra volume mounts for admission webhooks deployment | diff --git a/keda/templates/NOTES.txt b/keda/templates/NOTES.txt index f143cb2f..ccc1325c 100644 --- a/keda/templates/NOTES.txt +++ b/keda/templates/NOTES.txt @@ -59,6 +59,13 @@ WARNING - Running on unsupported Kubernetes version "1.{{.Capabilities.KubeVersi ------------------------------------------------------------------------------------- {{- end }} +{{- if .Values.serviceAccount.name }} +------------------------------------------------------------------------------------- +WARNING - .serviceAccount.name has been deprecated, please migrate to newest version of the Helm Chart values that allows overriding the service account name for each KEDA component. + New version: serviceAccount.{operator,metricServer,webhooks}.{create,name,automountServiceAccountToken,annotations} +------------------------------------------------------------------------------------- +{{- end }} + Learn more about KEDA: - Documentation: https://keda.sh/ - Support: https://keda.sh/support/ diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml index 673a5e63..3741adc4 100644 --- a/keda/templates/manager/clusterrole.yaml +++ b/keda/templates/manager/clusterrole.yaml @@ -16,6 +16,10 @@ rules: resources: - configmaps - configmaps/status + - limitranges + - pods + - services + - serviceaccounts verbs: - get - list @@ -26,39 +30,27 @@ rules: - events verbs: - '*' +{{- if not .Values.permissions.operator.restrict.secret }} - apiGroups: - "" - resources: - - external - - pods - {{- if eq .Values.permissions.operator.restrict.secret false }} + resources: - secrets - {{- end }} - - services - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - limitranges verbs: - list - watch + {{- with .Values.permissions.operator.restrict.namesAllowList }} - apiGroups: - "" resources: - - serviceaccounts - verbs: - - list - - watch -- apiGroups: - - '*' - resources: - - '*' + - secrets verbs: - get + resourceNames: {{ toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if .Values.rbac.enabledCustomScaledRefKinds }} +{{- if not .Values.rbac.scaledRefKinds }} - apiGroups: - '*' resources: @@ -69,34 +61,40 @@ rules: - patch - update - watch - {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +{{- else }} - apiGroups: - - admissionregistration.k8s.io + - apps resources: - - validatingwebhookconfigurations + - deployments/scale + - statefulsets/scale verbs: - get - list - patch - update - watch + {{- range .Values.rbac.scaledRefKinds }} - apiGroups: - - apiregistration.k8s.io + - {{ .apiGroup | quote }} resources: - - apiservices + - {{ .kind | quote }} + - {{ printf "%s/scale" .kind | quote }} verbs: - get - list - patch - update - watch - {{- end }} + {{- end }} +{{- end }} +{{- end }} - apiGroups: - apps resources: - deployments - statefulsets verbs: + - get - list - watch - apiGroups: @@ -118,32 +116,15 @@ rules: - cloudeventsources/status verbs: - '*' -- apiGroups: - - keda.sh - resources: - - clustertriggerauthentications - - clustertriggerauthentications/status - verbs: - - '*' - apiGroups: - keda.sh resources: - scaledjobs - scaledjobs/finalizers - scaledjobs/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - scaledobjects - scaledobjects/finalizers - scaledobjects/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - triggerauthentications - triggerauthentications/status verbs: diff --git a/keda/templates/manager/clusterrolebindings.yaml b/keda/templates/manager/clusterrolebindings.yaml new file mode 100644 index 00000000..fa83bcec --- /dev/null +++ b/keda/templates/manager/clusterrolebindings.yaml @@ -0,0 +1,49 @@ +{{- if .Values.rbac.create }} +{{- if not .Values.watchNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- else }} + {{- range ( split "," .Values.watchNamespace ) }} +--- +# Role binding for namespace '{{ . }}' +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with $.Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ $.Values.operator.name }} + {{- include "keda.labels" $ | indent 4 }} + name: {{ $.Values.operator.name }} + namespace: {{ . | trim }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ ($.Values.serviceAccount.operator).name | default $.Values.serviceAccount.name }} + namespace: {{ $.Release.Namespace }} +--- + {{- end }} +{{- end }} +{{- end }} diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml index 72117787..4b4675c6 100644 --- a/keda/templates/manager/deployment.yaml +++ b/keda/templates/manager/deployment.yaml @@ -55,8 +55,8 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} - automountServiceAccountToken: true + serviceAccountName: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + automountServiceAccountToken: {{ (.Values.serviceAccount.operator).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} securityContext: {{- if .Values.podSecurityContext.operator }} {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} @@ -85,6 +85,9 @@ spec: - "--zap-log-level={{ .Values.logging.operator.level }}" - "--zap-encoder={{ .Values.logging.operator.format }}" - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}" + {{- if .Values.logging.operator.stackTracesEnabled }} + - "--zap-stacktrace-level=error" + {{- end }} - "--cert-dir={{ .Values.certificates.mountPath }}" - "--enable-cert-rotation={{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}" - "--cert-secret-name={{ .Values.certificates.secretName }}" diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml new file mode 100644 index 00000000..bc762161 --- /dev/null +++ b/keda/templates/manager/minimal-rbac.yaml @@ -0,0 +1,121 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-certs + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-certs + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +{{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + resourceNames: + - {{ .Values.certificates.secretName | quote }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - update +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-certs + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-certs + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.operator.name }}-certs +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-minimal-cluster-role + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-minimal-cluster-role +rules: +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + - clustertriggerauthentications/status + verbs: + - '*' +{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-minimal + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-minimal +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }}-minimal-cluster-role +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/keda/templates/manager/poddisruptionbudget.yaml b/keda/templates/manager/poddisruptionbudget.yaml index 4d087c63..dc423b8b 100644 --- a/keda/templates/manager/poddisruptionbudget.yaml +++ b/keda/templates/manager/poddisruptionbudget.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} {{- include "keda.labels" . | indent 4 }} spec: {{- if .Values.podDisruptionBudget.minAvailable }} diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml deleted file mode 100644 index 11339be0..00000000 --- a/keda/templates/manager/role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' -{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} -- apiGroups: - - "" - resources: - - secrets - verbs: - {{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} - - create - - delete - - patch - - update - {{- end }} - - watch - - get - - list -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/keda/templates/manager/rolebinding.yaml b/keda/templates/manager/rolebinding.yaml deleted file mode 100644 index 1c2303a3..00000000 --- a/keda/templates/manager/rolebinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Values.operator.name }} -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/keda/templates/serviceaccount.yaml b/keda/templates/manager/serviceaccount.yaml similarity index 69% rename from keda/templates/serviceaccount.yaml rename to keda/templates/manager/serviceaccount.yaml index d93d1b7e..967b517a 100644 --- a/keda/templates/serviceaccount.yaml +++ b/keda/templates/manager/serviceaccount.yaml @@ -1,14 +1,14 @@ -{{- if .Values.serviceAccount.create -}} +{{- if (.Values.serviceAccount.operator).create | default .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + app.kubernetes.io/name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} {{- if .Values.podIdentity.azureWorkload.enabled }} azure.workload.identity/use: "true" {{- end }} {{- include "keda.labels" . | nindent 4 }} - {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled .Values.serviceAccount.annotations .Values.podIdentity.gcp.enabled }} + {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled ((.Values.serviceAccount.operator).annotations | default .Values.serviceAccount.annotations) .Values.podIdentity.gcp.enabled }} annotations: {{- if .Values.additionalAnnotations }} {{- toYaml .Values.additionalAnnotations | nindent 4 }} @@ -39,11 +39,11 @@ metadata: iam.gke.io/gcp-service-account: {{ .Values.podIdentity.gcp.gcpIAMServiceAccount }} {{- end }} {{- end }} - {{- if .Values.serviceAccount.annotations }} - {{- toYaml .Values.serviceAccount.annotations | nindent 4}} + {{- if (.Values.serviceAccount.operator).annotations | default .Values.serviceAccount.annotations }} + {{- toYaml (.Values.serviceAccount.operator).annotations | default .Values.serviceAccount.annotations | nindent 4}} {{- end }} {{- end }} - name: {{ .Values.serviceAccount.name }} + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +automountServiceAccountToken: {{ (.Values.serviceAccount.operator).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} {{- end -}} diff --git a/keda/templates/metrics-server/clusterrolebinding.yaml b/keda/templates/metrics-server/clusterrolebinding.yaml index af00d424..cf877a2d 100644 --- a/keda/templates/metrics-server/clusterrolebinding.yaml +++ b/keda/templates/metrics-server/clusterrolebinding.yaml @@ -16,9 +16,10 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} + name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} --- +# https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#extension-apiserver-authenticates-the-request apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -37,7 +38,7 @@ roleRef: name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} + name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/keda/templates/metrics-server/deployment.yaml b/keda/templates/metrics-server/deployment.yaml index 16829cc6..80cc4d84 100644 --- a/keda/templates/metrics-server/deployment.yaml +++ b/keda/templates/metrics-server/deployment.yaml @@ -57,8 +57,8 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} - automountServiceAccountToken: true + serviceAccountName: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} + automountServiceAccountToken: {{ (.Values.serviceAccount.metricServer).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} securityContext: {{- if .Values.podSecurityContext.metricServer }} {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} diff --git a/keda/templates/metrics-server/serviceaccount.yaml b/keda/templates/metrics-server/serviceaccount.yaml new file mode 100644 index 00000000..7227699a --- /dev/null +++ b/keda/templates/metrics-server/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- if (.Values.serviceAccount.metricServer).create | default .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} + {{- include "keda.labels" . | nindent 4 }} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + {{- if (.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations }} + {{- toYaml ((.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations) | nindent 4}} + {{- end }} + name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ (.Values.serviceAccount.metricServer).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/keda/templates/webhooks/clusterrole.yaml b/keda/templates/webhooks/clusterrole.yaml new file mode 100644 index 00000000..d5808908 --- /dev/null +++ b/keda/templates/webhooks/clusterrole.yaml @@ -0,0 +1,43 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-webhook + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-webhook +rules: +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list + - watch +- apiGroups: + - keda.sh + resources: + - scaledobjects + verbs: + - list + - watch +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - limitranges + verbs: + - list +{{- end -}} diff --git a/keda/templates/manager/clusterrolebinding.yaml b/keda/templates/webhooks/clusterrolebindings.yaml similarity index 61% rename from keda/templates/manager/clusterrolebinding.yaml rename to keda/templates/webhooks/clusterrolebindings.yaml index 5d13f80a..4c30a94a 100644 --- a/keda/templates/manager/clusterrolebinding.yaml +++ b/keda/templates/webhooks/clusterrolebindings.yaml @@ -7,15 +7,15 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - app.kubernetes.io/name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }}-webhook {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} + name: {{ .Values.operator.name }}-webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ .Values.operator.name }} + name: {{ .Values.operator.name }}-webhook subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} + name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} -{{- end -}} +{{- end }} diff --git a/keda/templates/webhooks/deployment.yaml b/keda/templates/webhooks/deployment.yaml index 17f77bb9..680401a5 100644 --- a/keda/templates/webhooks/deployment.yaml +++ b/keda/templates/webhooks/deployment.yaml @@ -50,8 +50,8 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} - automountServiceAccountToken: true + serviceAccountName: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} + automountServiceAccountToken: {{ (.Values.serviceAccount.webhooks).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} securityContext: {{- if .Values.podSecurityContext.webhooks }} {{- toYaml .Values.podSecurityContext.webhooks | nindent 8 }} diff --git a/keda/templates/webhooks/poddisruptionbudget.yaml b/keda/templates/webhooks/poddisruptionbudget.yaml index 3e43c2a7..6fb22538 100644 --- a/keda/templates/webhooks/poddisruptionbudget.yaml +++ b/keda/templates/webhooks/poddisruptionbudget.yaml @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} {{- include "keda.labels" . | indent 4 }} spec: {{- if .Values.podDisruptionBudget.minAvailable }} diff --git a/keda/templates/webhooks/serviceaccount.yaml b/keda/templates/webhooks/serviceaccount.yaml new file mode 100644 index 00000000..da5a83a2 --- /dev/null +++ b/keda/templates/webhooks/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- if (.Values.serviceAccount.webhooks).create | default .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} + {{- include "keda.labels" . | nindent 4 }} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + {{- if (.Values.serviceAccount.webhooks).annotations | default .Values.serviceAccount.annotations }} + {{- toYaml ((.Values.serviceAccount.webhooks).annotations | default .Values.serviceAccount.annotations) | nindent 4}} + {{- end }} + name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ (.Values.serviceAccount.webhooks).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/keda/values.yaml b/keda/values.yaml index 5a2372b6..75270c44 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -275,16 +275,44 @@ rbac: # -- Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) aggregateToDefaultRoles: false + # -- Whether RBAC for configured CRDs that can have a `scale` subresource should be created + enabledCustomScaledRefKinds: true + # -- List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. + # The feature needs to be also enabled by `enabledCustomScaledRefKinds`. + # If left empty, RBAC for `apiGroups: *` and `resources: */scale` will be created + # note: Deployments and StatefulSets are supported out of the box + scaledRefKinds: + # - apiGroup: argoproj.io + # kind: Rollout + serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: keda-operator - # -- Specifies whether a service account should automount API-Credentials - automountServiceAccountToken: true - # -- Annotations to add to the service account - annotations: {} + operator: + # -- Specifies whether a service account should be created + create: true + # -- The name of the service account to use. + name: keda-operator + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account + annotations: {} + metricServer: + # -- Specifies whether a service account should be created + create: true + # -- The name of the service account to use. + name: keda-metrics-server + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account + annotations: {} + webhooks: + # -- Specifies whether a service account should be created + create: true + # -- The name of the service account to use. + name: keda-webhook + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account + annotations: {} podIdentity: activeDirectory: @@ -354,6 +382,8 @@ logging: # -- Logging time encoding for KEDA Operator. # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` timeEncoding: rfc3339 + # -- If enabled, the stack traces will be also printed + stackTracesEnabled: false metricServer: # -- Logging level for Metrics Server. # allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string @@ -797,7 +827,12 @@ permissions: operator: restrict: # -- Restrict Secret Access for KEDA operator + # if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace secret: false + # -- Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account + # also the configured `watchNamespace`. + # the default is an empty array -> no restriction on the secret name + namesAllowList: [] # -- Array of extra K8s manifests to deploy extraObjects: []