From c718b765fdcaa4977f956e0c9fcef0ba180318e8 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Tue, 9 Apr 2024 17:01:22 +0200 Subject: [PATCH] rbac: Add back some necessary rights Signed-off-by: Jirka Kremser --- keda/templates/manager/clusterrole.yaml | 29 +---- keda/templates/manager/deployment.yaml | 3 + keda/templates/manager/minimal-rbac.yaml | 119 ++++++++++++++++++ keda/templates/manager/role.yaml | 58 --------- keda/templates/webhooks/clusterrole.yaml | 4 + .../webhooks/clusterrolebindings.yaml | 28 ----- keda/values.yaml | 2 + 7 files changed, 134 insertions(+), 109 deletions(-) create mode 100644 keda/templates/manager/minimal-rbac.yaml delete mode 100644 keda/templates/manager/role.yaml diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml index 90875428..9619ad6e 100644 --- a/keda/templates/manager/clusterrole.yaml +++ b/keda/templates/manager/clusterrole.yaml @@ -36,10 +36,15 @@ rules: resources: - secrets verbs: - - get - list - watch {{- with .Values.permissions.operator.restrict.namesAllowList }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get resourceNames: {{ toYaml . | nindent 4 }} {{- end }} {{- end }} @@ -72,28 +77,6 @@ rules: {{- end }} {{- end }} {{- end }} -{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - patch - - update - - watch -{{- end }} - apiGroups: - apps resources: diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml index dbdb1849..52771cda 100644 --- a/keda/templates/manager/deployment.yaml +++ b/keda/templates/manager/deployment.yaml @@ -85,6 +85,9 @@ spec: - "--zap-log-level={{ .Values.logging.operator.level }}" - "--zap-encoder={{ .Values.logging.operator.format }}" - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}" + {{- if .Values.logging.operator.stackTracesEnabled }} + - "--zap-stacktrace-level=error" + {{- end }} - "--cert-dir={{ .Values.certificates.mountPath }}" - "--enable-cert-rotation={{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}" - "--cert-secret-name={{ .Values.certificates.secretName }}" diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml new file mode 100644 index 00000000..d96f849f --- /dev/null +++ b/keda/templates/manager/minimal-rbac.yaml @@ -0,0 +1,119 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-certs + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-certs + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +{{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - 'get' + resourceNames: + - {{ .Values.certificates.secretName | quote }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - 'create' +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-certs + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-certs + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.operator.name }}-certs +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-minimal-cluster-role + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-minimal-cluster-role +rules: +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + verbs: + - '*' +{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-minimal + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-minimal +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }}-minimal-cluster-role +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml deleted file mode 100644 index f1bcc4ff..00000000 --- a/keda/templates/manager/role.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-certs - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-certs - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' -{{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} -- apiGroups: - - "" - resources: - - secrets - verbs: - - 'get' - resourceNames: - - {{ .Values.certificates.secretName | quote }} -- apiGroups: - - "" - resources: - - secrets - verbs: - - 'create' -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-certs - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-certs - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Values.operator.name }}-certs -subjects: -- kind: ServiceAccount - name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/keda/templates/webhooks/clusterrole.yaml b/keda/templates/webhooks/clusterrole.yaml index 65fd0c42..26a091b9 100644 --- a/keda/templates/webhooks/clusterrole.yaml +++ b/keda/templates/webhooks/clusterrole.yaml @@ -17,12 +17,14 @@ rules: - horizontalpodautoscalers verbs: - list + - watch - apiGroups: - keda.sh resources: - scaledobjects verbs: - list + - watch - apiGroups: - apps resources: @@ -30,6 +32,8 @@ rules: - statefulsets verbs: - get + - list + - watch - apiGroups: - "" resources: diff --git a/keda/templates/webhooks/clusterrolebindings.yaml b/keda/templates/webhooks/clusterrolebindings.yaml index a10c2cc1..4c30a94a 100644 --- a/keda/templates/webhooks/clusterrolebindings.yaml +++ b/keda/templates/webhooks/clusterrolebindings.yaml @@ -1,5 +1,4 @@ {{- if .Values.rbac.create }} -{{- if not .Values.watchNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -19,31 +18,4 @@ subjects: - kind: ServiceAccount name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} -{{- else }} - {{- range ( split "," .Values.watchNamespace ) }} ---- -# Role binding for namespace '{{ . }}' -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with $.Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ $.Values.operator.name }} - {{- include "keda.labels" $ | indent 4 }} - name: {{ $.Values.operator.name }} - namespace: {{ . | trim }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $.Values.operator.name }}-webhook -subjects: -- kind: ServiceAccount - name: {{ ($.Values.serviceAccount.webhooks).name | default $.Values.serviceAccount.name }} - namespace: {{ $.Release.Namespace }} ---- - {{- end }} -{{- end }} {{- end }} diff --git a/keda/values.yaml b/keda/values.yaml index a2a38249..b9e377b6 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -382,6 +382,8 @@ logging: # -- Logging time encoding for KEDA Operator. # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` timeEncoding: rfc3339 + # -- If enabled, the stack traces will be also printed + stackTracesEnabled: false metricServer: # -- Logging level for Metrics Server. # allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string