Make admin privileges configurable

Fix #82.

With this change, we stop granting the below permission to the
accurate controller.

```yaml
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch
```

Also, we make the ClusterRole admin optional.
The Helm chart now takes optional ClusterRoles to be granted.

Makefile

@@ -10,6 +10,9 @@ SUDO = sudo
 SHELL = /bin/bash
 .SHELLFLAGS = -e -o pipefail -c
 
+PATH := $(shell aqua root-dir)/bin:$(PATH)"
+export PATH
+
 CRD_OPTIONS = "crd:crdVersions=v1,maxDescLen=220"
 
 # for Go

README.md

@@ -49,7 +49,11 @@ Run and try Accurate on a [kind (Kubernetes-In-Docker)][kind] cluster as follows
 
 3. Install [aqua][].
 
-    https://aquaproj.github.io/docs/tutorial-basics/quick-start
+    ```console
+    $ go install github.com/aquaproj/aqua/v2/cmd/aqua@latest
+    ```
+
+    cf. https://aquaproj.github.io/docs/install
  
 4. Go to `e2e` directory, setup shell variables, and execute `make start`.
 

charts/accurate/templates/additional-rbac.yaml

@@ -1,4 +1,4 @@
-{{ if .Values.controller.additionalRBAC.rules }}
+{{- if .Values.controller.additionalRBAC.rules }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -19,4 +19,21 @@ subjects:
     name: {{ template "accurate.fullname" . }}-controller-manager
     namespace: {{ .Release.Namespace }}
 ---
-{{ end }}
+{{- end }}
+{{- if .Values.controller.additionalRBAC.clusterRoles }}
+{{- range .Values.controller.additionalRBAC.clusterRoles }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "accurate.fullname" . }}-manager-{{ . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "accurate.fullname" . }}-controller-manager
+  namespace: {{ .Release.Namespace }}
+---
+{{- end }}
+{{- end }}

charts/accurate/templates/generated/generated.yaml

@@ -187,24 +187,6 @@ subjects:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/managed-by: '{{ .Release.Service }}'
-    app.kubernetes.io/name: '{{ include "accurate.name" . }}'
-    app.kubernetes.io/version: '{{ .Chart.AppVersion }}'
-    helm.sh/chart: '{{ include "accurate.chart" . }}'
-  name: '{{ template "accurate.fullname" . }}-manager-admin'
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-  - kind: ServiceAccount
-    name: '{{ template "accurate.fullname" . }}-controller-manager'
-    namespace: '{{ .Release.Namespace }}'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
 metadata:
   labels:
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'

charts/accurate/values.yaml

@@ -102,3 +102,8 @@ controller:
           - update
           - patch
           - delete
+    # controller.additionalRBAC.clusterRoles -- Specify additional ClusterRoles to be granted
+    # to the accurate controller. "admin" is recommended to allow the controller to manage
+    # common namespace-scoped resources.
+    clusterRoles:
+    - admin

config/rbac/role_binding.yaml

@@ -10,16 +10,3 @@ subjects:
 - kind: ServiceAccount
   name: controller-manager
   namespace: system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: manager-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: admin
-subjects:
-- kind: ServiceAccount
-  name: controller-manager
-  namespace: system