diff --git a/README.md b/README.md index 85cfc0e..8c960d8 100644 --- a/README.md +++ b/README.md @@ -42,6 +42,18 @@ edb-pg4k-edb-postgres-for-kubernetes 1/1 1 1 11s Once it is ready, you can verify that you can deploy the sample cluster suggested by the helm chart. +It is possible to limit the operator's capabilities to solely the namespace in +which it has been set up. By implementing this restriction, the cluster-level +permissions required by the operator will be substantially minimized: + +```console +helm upgrade --install edb-pg4k \ + --namespace postgresql-operator-system \ + --create-namespace \ + --set config.clusterWide=false \ + edb/edb-postgres-for-kubernetes +``` + ### Deploying EDB Postgres for Kubernetes (PG4K) operator from EDB's private registry By default, PG4K will be deployed using [images publicly hosted on Quay.io](https://quay.io/repository/enterprisedb/cloud-native-postgresql), diff --git a/charts/edb-postgres-for-kubernetes/templates/NOTES.txt b/charts/edb-postgres-for-kubernetes/templates/NOTES.txt index 8c7e7f1..1609945 100644 --- a/charts/edb-postgres-for-kubernetes/templates/NOTES.txt +++ b/charts/edb-postgres-for-kubernetes/templates/NOTES.txt @@ -8,11 +8,14 @@ apiVersion: postgresql.k8s.enterprisedb.io/v1 kind: Cluster metadata: name: cluster-example + {{if not .Values.config.clusterWide -}} + namespace: {{ .Release.Namespace }} + {{- end }} spec: instances: 3 storage: size: 1Gi EOF -kubectl get cluster +kubectl get -A cluster diff --git a/charts/edb-postgres-for-kubernetes/templates/config.yaml b/charts/edb-postgres-for-kubernetes/templates/config.yaml index 57ed46f..fffae1c 100644 --- a/charts/edb-postgres-for-kubernetes/templates/config.yaml +++ b/charts/edb-postgres-for-kubernetes/templates/config.yaml @@ -25,7 +25,13 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} data: + {{- if .Values.config.clusterWide -}} {{- toYaml .Values.config.data | nindent 2 }} + {{- else -}} + {{- $watchNamespaceMap := dict "WATCH_NAMESPACE" .Release.Namespace -}} + {{- $fullConfiguration := merge .Values.config.data $watchNamespaceMap -}} + {{- toYaml $fullConfiguration | nindent 2 }} + {{- end -}} {{- end }} {{- else -}} apiVersion: v1 diff --git a/charts/edb-postgres-for-kubernetes/templates/deployment.yaml b/charts/edb-postgres-for-kubernetes/templates/deployment.yaml index c546680..533f770 100644 --- a/charts/edb-postgres-for-kubernetes/templates/deployment.yaml +++ b/charts/edb-postgres-for-kubernetes/templates/deployment.yaml @@ -64,6 +64,10 @@ spec: fieldPath: metadata.namespace - name: MONITORING_QUERIES_CONFIGMAP value: "{{ .Values.monitoringQueriesConfigMap.name }}" + {{ if not .Values.config.clusterWide -}} + - name: WATCH_NAMESPACE + value: "{{ .Release.Namespace }}" + {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} livenessProbe: diff --git a/charts/edb-postgres-for-kubernetes/templates/rbac.yaml b/charts/edb-postgres-for-kubernetes/templates/rbac.yaml index bebcddb..995264a 100644 --- a/charts/edb-postgres-for-kubernetes/templates/rbac.yaml +++ b/charts/edb-postgres-for-kubernetes/templates/rbac.yaml @@ -27,6 +27,7 @@ metadata: {{- end }} {{- if .Values.rbac.create }} +{{- if .Values.config.clusterWide }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -370,6 +371,382 @@ rules: - list - patch - watch +{{ else }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "edb-postgres-for-kubernetes.fullname" . }} + labels: + {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - pods/exec + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: + - "" + resources: + - pods/status + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - secrets/status + verbs: + - get + - patch + - update +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - monitoring.coreos.com + resources: + - podmonitors + verbs: + - create + - delete + - get + - list + - patch + - watch +- apiGroups: + - policy + resources: + - poddisruptionbudgets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - backups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - backups/status + verbs: + - get + - patch + - update +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - clusters + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - clusters/finalizers + verbs: + - update +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - clusters/status + verbs: + - get + - patch + - update + - watch +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - poolers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - poolers/finalizers + verbs: + - update +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - poolers/status + verbs: + - get + - patch + - update + - watch +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - scheduledbackups + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - postgresql.k8s.enterprisedb.io + resources: + - scheduledbackups/status + verbs: + - get + - patch + - update +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + verbs: + - create + - get + - list + - patch + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "edb-postgres-for-kubernetes.fullname" . }} + labels: + {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "edb-postgres-for-kubernetes.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "edb-postgres-for-kubernetes.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "edb-postgres-for-kubernetes.fullname" . }} + labels: + {{- include "edb-postgres-for-kubernetes.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - update +{{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/charts/edb-postgres-for-kubernetes/values.yaml b/charts/edb-postgres-for-kubernetes/values.yaml index 9aedbc3..da1600a 100644 --- a/charts/edb-postgres-for-kubernetes/values.yaml +++ b/charts/edb-postgres-for-kubernetes/values.yaml @@ -58,6 +58,10 @@ config: create: true # -- Specifies whether it should be stored in a secret, instead of a configmap secret: false + # -- This option determines if the operator is responsible for observing + # events across the entire Kubernetes cluster or if its focus should be + # narrowed down to the specific namespace within which it has been deployed. + clusterWide: true # Examples: # INHERITED_ANNOTATIONS: categories # INHERITED_LABELS: environment, workload, app