From 86cd9b1c609426abbf5cb52ae91ebe930f57f3d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Bergm=C3=BCller?= Date: Mon, 14 Oct 2024 10:57:15 +0200 Subject: [PATCH] Adding RBAC namespace selection for metrics server (#674) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Added required namespace variable and values file entry, updated docs Signed-off-by: Nils * Added required namespace variable and values file entry, updated docs Signed-off-by: Nils Bergmüller * Updated helm-docs Signed-off-by: Nils Bergmüller * Updated helm-docs Signed-off-by: Nils Bergmüller * Updated helm-docs Signed-off-by: Nils Bergmüller * Updated helm-docs Signed-off-by: Nils Bergmüller * Updated helm-docs Signed-off-by: Nils Bergmüller * Updated helm-docs Signed-off-by: Nils Bergmüller --------- Signed-off-by: Nils Signed-off-by: Nils Bergmüller --- keda/README.md | 1 + keda/templates/metrics-server/clusterrolebinding.yaml | 4 ++-- keda/values.yaml | 4 ++++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/keda/README.md b/keda/README.md index abf50469..fa101631 100644 --- a/keda/README.md +++ b/keda/README.md @@ -109,6 +109,7 @@ their default values. | `podSecurityContext` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] for all pods | | `priorityClassName` | string | `""` | priorityClassName for all KEDA components | | `rbac.aggregateToDefaultRoles` | bool | `false` | Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) | +| `rbac.controlPlaneServiceAccountsNamespace` | string | `"kube-system"` | Customize the namespace of k8s metrics-server deployment This could also be achieved by the Kubernetes control plane manager flag --use-service-account-credentials: [docs](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/) | | `rbac.create` | bool | `true` | Specifies whether RBAC should be used | | `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether RBAC for configured CRDs that can have a `scale` subresource should be created | | `rbac.scaledRefKinds` | list | `[{"apiGroup":"*","kind":"*"}]` | List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. The feature needs to be also enabled by `enabledCustomScaledRefKinds`. If left empty, RBAC for `apiGroups: *` and `resources: *, */scale` will be created note: Deployments and StatefulSets are supported out of the box | diff --git a/keda/templates/metrics-server/clusterrolebinding.yaml b/keda/templates/metrics-server/clusterrolebinding.yaml index cf877a2d..622bf3b9 100644 --- a/keda/templates/metrics-server/clusterrolebinding.yaml +++ b/keda/templates/metrics-server/clusterrolebinding.yaml @@ -31,7 +31,7 @@ metadata: app.kubernetes.io/name: {{ .Values.operator.name }}-auth-reader {{- include "keda.labels" . | indent 4 }} name: {{ .Values.operator.name }}-auth-reader - namespace: kube-system + namespace: {{ .Values.rbac.controlPlaneServiceAccountsNamespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -59,5 +59,5 @@ roleRef: subjects: - kind: ServiceAccount name: horizontal-pod-autoscaler - namespace: kube-system + namespace: {{ .Values.rbac.controlPlaneServiceAccountsNamespace }} {{- end -}} diff --git a/keda/values.yaml b/keda/values.yaml index c9e7b45c..71fc51fd 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -276,6 +276,10 @@ rbac: # -- Whether RBAC for configured CRDs that can have a `scale` subresource should be created enabledCustomScaledRefKinds: true + # -- Customize the namespace of k8s metrics-server deployment + # This could also be achieved by the Kubernetes control plane manager flag --use-service-account-credentials: + # [docs](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/) + controlPlaneServiceAccountsNamespace: kube-system # -- List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. # The feature needs to be also enabled by `enabledCustomScaledRefKinds`. # If left empty, RBAC for `apiGroups: *` and `resources: *, */scale` will be created