feat: rbac on helm

flanksource · Dec 29, 2023 · c711ec0 · c711ec0
1 parent 2a758f4
commit c711ec0
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 4 deletions.
diff --git a/chart/templates/serviceaccount.yaml b/chart/templates/serviceaccount.yaml
@@ -10,25 +10,58 @@ metadata:
 {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}RoleBinding"
 metadata:
   name: {{ template "config-db.serviceAccountName" . }}-rolebinding
   labels: {{- include "config-db.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role"
   name: {{ template "config-db.serviceAccountName" . }}-role
 subjects:
   - kind: ServiceAccount
     name: {{ template "config-db.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: "{{if .Values.serviceAccount.rbac.cluster_role}}Cluster{{end}}Role"
 metadata:
   name: {{ template "config-db.serviceAccountName" . }}-role
   labels: {{- include "config-db.labels" . | nindent 4 }}
 rules:
+{{- if .Values.serviceAccount.rbac.secrets}}
+- apiGroups: 
+    - v1
+  resources: 
+    - secrets
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.configmaps}}
+- apiGroups: 
+    - v1
+  resources: 
+    - configmaps
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.exec}}
+- apiGroups: [""]
+  resources:
+    - pods/attach
+    - pods/exec
+    - pods/log
+  verbs:
+    - '*'
+{{- end}}
+{{- if .Values.serviceAccount.rbac.tokenRequest}}
+- apiGroups: ['authentication.k8s.io/v1']
+  resources: ['serviceaccounts/token']
+  verbs: ['create']
+{{- end}}
+{{- if .Values.serviceAccount.rbac.readAll}}
 - apiGroups:
   - '*'
   resources:
@@ -37,6 +70,7 @@ rules:
   - "list"
   - "get"
   - "watch"
+{{- end}}
 - apiGroups:
   - configs.flanksource.com
   resources:

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -43,7 +43,7 @@ db:
     # If you need to set a custom username and password, you can populate a secret named 'postgres-connection' before install
     # with POSTGRES_USER and POSTGRES_PASSWORD
     #
-    # If create:false, a prexisting secret containing the URI to an existing postgres database must be provided
+    # If create:false, a preexisting secret containing the URI to an existing postgres database must be provided
     # The URI must be in the format 'postgresql://"$user":"$password"@"$host"/"$database"'
     create: false
     secretKeyRef:
@@ -78,6 +78,20 @@ serviceAccount:
   create: true
   name: ''
   annotations: {}
+  rbac:
+    # Whether to create cluster-wide or namespaced roles
+    cluster_role: true
+
+    # for secret management with valueFrom
+    tokenRequest: true
+    secrets: true
+    configmaps: true
+
+    # for use with kubernetes resource lookups
+    readAll: true
+
+    # for kubernetesFile lookups
+    exec: true
 
 upstream:
   enabled: false