aws-load-balancer-controller: v2.4.1 (aws#713)

Co-authored-by: eks-bot <[email protected]>
yadavprakash · Mar 17, 2022 · be1958e · be1958e
1 parent dc44b27
commit be1958e
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 4 deletions.
diff --git a/stable/aws-load-balancer-controller/Chart.yaml b/stable/aws-load-balancer-controller/Chart.yaml
@@ -1,8 +1,8 @@
 apiVersion: v2
 name: aws-load-balancer-controller
 description: AWS Load Balancer Controller Helm chart for Kubernetes
-version: 1.4.0
-appVersion: v2.4.0
+version: 1.4.1
+appVersion: v2.4.1
 home: https://github.com/aws/eks-charts
 icon: https://raw.githubusercontent.com/aws/eks-charts/master/docs/logo/aws.png
 sources:

diff --git a/stable/aws-load-balancer-controller/README.md b/stable/aws-load-balancer-controller/README.md
@@ -234,3 +234,4 @@ The default values set by the application itself can be confirmed [here](https:/
 | `serviceMonitor.enabled`                       | Specifies whether a service monitor should be created, requires the ServiceMonitor CRD to be installed   | `false`                                                                            |
 | `serviceMonitor.additionalLabels`              | Labels to add to the service account                                                                     | `{}`                                                                               |
 | `serviceMonitor.interval`                      | Prometheus scrape interval                                                                               | `1m`                                                                               |
+| `clusterSecretsPermissions.allowAllSecrets`    | If `true`, controller has access to all secrets in the cluster.                                          | `false`                                                                            |
diff --git a/stable/aws-load-balancer-controller/templates/rbac.yaml b/stable/aws-load-balancer-controller/templates/rbac.yaml
@@ -57,8 +57,13 @@ rules:
   resources: [services, ingresses]
   verbs: [get, list, patch, update, watch]
 - apiGroups: [""]
-  resources: [nodes, secrets, namespaces, endpoints]
+  resources: [nodes, namespaces, endpoints]
   verbs: [get, list, watch]
+{{- if .Values.clusterSecretsPermissions.allowAllSecrets }}
+- apiGroups: [""]
+  resources: [secrets]
+  verbs: [get, list, watch]
+{{- end }}
 - apiGroups: ["elbv2.k8s.aws", "", "extensions", "networking.k8s.io"]
   resources: [targetgroupbindings/status, pods/status, services/status, ingresses/status]
   verbs: [update, patch]

diff --git a/stable/aws-load-balancer-controller/values.yaml b/stable/aws-load-balancer-controller/values.yaml
@@ -6,7 +6,7 @@ replicaCount: 2
 
 image:
   repository: 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller
-  tag: v2.4.0
+  tag: v2.4.1
   pullPolicy: IfNotPresent
 
 imagePullSecrets: []
@@ -266,3 +266,12 @@ serviceMonitor:
   additionalLabels: {}
   # Prometheus scrape interval
   interval: 1m
+
+# clusterSecretsPermissions lets you configure RBAC permissions for secret resources
+# Access to secrets resource is required only if you use the OIDC feature, and instead of
+# enabling access to all secrets, we recommend configuring namespaced role/rolebinding.
+# This option is for backwards compatibility only, and will potentially be deprecated in future.
+clusterSecretsPermissions:
+  # allowAllSecrets allows the controller to access all secrets in the cluster.
+  # This is to get backwards compatible behavior, but *NOT* recommended for security reasons
+  allowAllSecrets: false