From ff038bb39c371e687fb1e07fea1fe16bf978f7e2 Mon Sep 17 00:00:00 2001 From: Mathieu Parent Date: Tue, 9 Apr 2024 09:39:22 +0200 Subject: [PATCH] feat: readonly console --- .../templates/console-clusterrole.yaml | 64 +++++++++++++++---- helm/operator/values.yaml | 29 +++++---- 2 files changed, 68 insertions(+), 25 deletions(-) diff --git a/helm/operator/templates/console-clusterrole.yaml b/helm/operator/templates/console-clusterrole.yaml index e6d1c467e99..6b15f99904b 100644 --- a/helm/operator/templates/console-clusterrole.yaml +++ b/helm/operator/templates/console-clusterrole.yaml @@ -10,13 +10,15 @@ rules: - secrets verbs: - get + - list - watch + {{- if not .Values.console.readOnly }} - create - - list - patch - update - delete - deletecollection + {{- end }} - apiGroups: - "" resources: @@ -27,42 +29,50 @@ rules: - nodes verbs: - get + - list - watch + {{- if not .Values.console.readOnly }} - create - - list - patch + {{- end }} - apiGroups: - "" resources: - pods verbs: - get + - list - watch + {{- if not .Values.console.readOnly }} - create - - list - patch - delete - deletecollection + {{- end }} - apiGroups: - "" resources: - persistentvolumeclaims verbs: - - deletecollection - - list - get + - list - watch + {{- if not .Values.console.readOnly }} - update + - deletecollection + {{- end }} - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get + - list - watch + {{- if not .Values.console.readOnly }} - create - - list - patch + {{- end }} - apiGroups: - apps resources: @@ -70,24 +80,28 @@ rules: - deployments verbs: - get - - create - list - - patch - watch + {{- if not .Values.console.readOnly }} + - create + - patch - update - delete + {{- end }} - apiGroups: - batch resources: - jobs verbs: - get - - create - list - - patch - watch + {{- if not .Values.console.readOnly }} + - create + - patch - update - delete + {{- end }} - apiGroups: - certificates.k8s.io resources: @@ -95,11 +109,13 @@ rules: - certificatesigningrequests/approval - certificatesigningrequests/status verbs: + - get + - list + {{- if not .Values.console.readOnly }} - update - create - - get - delete - - list + {{- end }} - apiGroups: - minio.min.io resources: @@ -111,7 +127,13 @@ rules: resources: - '*' verbs: + {{- if not .Values.console.readOnly }} + - get + - list + - watch + {{- else }} - '*' + {{- end }} - apiGroups: - "" resources: @@ -120,8 +142,10 @@ rules: - get - list - watch + {{- if not .Values.console.readOnly }} - create - delete + {{- end }} - apiGroups: - "" resources: @@ -130,17 +154,21 @@ rules: - get - list - watch + {{- if not .Values.console.readOnly }} - update + {{- end }} - apiGroups: - "" resources: - events verbs: - - create - list - watch + {{- if not .Values.console.readOnly }} + - create - update - patch + {{- end }} - apiGroups: - snapshot.storage.k8s.io resources: @@ -179,9 +207,11 @@ rules: - get - list - watch + {{- if not .Values.console.readOnly }} - create - update - delete + {{- end }} - apiGroups: - coordination.k8s.io resources: @@ -190,9 +220,11 @@ rules: - get - list - watch + {{- if not .Values.console.readOnly }} - create - update - delete + {{- end }} - apiGroups: - direct.csi.min.io resources: @@ -201,9 +233,11 @@ rules: - get - list - watch + {{- if not .Values.console.readOnly }} - create - update - delete + {{- end }} - apiGroups: - apiextensions.k8s.io resources: @@ -212,9 +246,11 @@ rules: - get - list - watch + {{- if not .Values.console.readOnly }} - create - update - delete + {{- end }} - apiGroups: - direct.csi.min.io resources: @@ -224,9 +260,11 @@ rules: - get - list - watch + {{- if not .Values.console.readOnly }} - create - update - delete + {{- end }} - apiGroups: - "" resources: diff --git a/helm/operator/values.yaml b/helm/operator/values.yaml index 614b9fb48aa..5ce42c1bb86 100644 --- a/helm/operator/values.yaml +++ b/helm/operator/values.yaml @@ -4,7 +4,7 @@ operator: ### # An array of environment variables to pass to the Operator deployment. # Pass an empty array to start Operator with defaults. - # + # # For example: # # .. code-block:: yaml @@ -21,7 +21,7 @@ operator: # - name: WATCHED_NAMESPACE # value: "" # - name: MINIO_OPERATOR_RUNTIME - # value: "OpenShift" + # value: "OpenShift" # # See `Operator environment variables `__ for a list of all supported values. # If MINIO_CONSOLE_TLS_ENABLE is enabled, utilize port 9443 for console.ingress.number. @@ -34,19 +34,19 @@ operator: serviceAccountAnnotations: [] ### # Specify the Operator container image to use for the deployment. - # ``image.tag`` + # ``image.tag`` # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.14 tag. # The container pulls the image if not already present: # # .. code-block:: yaml - # + # # image: # repository: quay.io/minio/operator # tag: v5.0.14 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: - # + # # .. code-block:: yaml # # image: @@ -102,7 +102,7 @@ operator: volumes: [ ] ### # An array of volume mount points associated to each Operator container. - # + # # Specify each item in the array as follows: # # .. code-block:: yaml @@ -152,7 +152,7 @@ operator: # These settings determine the distribution of pods across worker nodes. topologySpreadConstraints: [ ] ### - # + # # The `Requests or Limits `__ for resources to associate to Operator pods. # # These settings can control the minimum and maximum resources requested for each pod. @@ -173,19 +173,19 @@ console: enabled: true ### # Specify the Operator Console container image to use for the deployment. - # ``image.tag`` + # ``image.tag`` # For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.14 tag. # The container pulls the image if not already present: # # .. code-block:: yaml - # + # # image: # repository: quay.io/minio/operator # tag: v5.0.14 # pullPolicy: IfNotPresent # # The chart also supports specifying an image based on digest value: - # + # # .. code-block:: yaml # # image: @@ -257,7 +257,7 @@ console: # These settings determine the distribution of pods across worker nodes. topologySpreadConstraints: [ ] ### - # + # # The `Requests or Limits `__ for resources to associate to Operator Console pods. # # These settings can control the minimum and maximum resources requested for each pod. @@ -279,6 +279,11 @@ console: containerSecurityContext: runAsUser: 1000 runAsNonRoot: true + + ### + # Forbid write permissions + readOnly: false + ### # Configures `Ingress `__ for the Operator Console. # @@ -304,7 +309,7 @@ console: emptyDir: {} ### # An array of volume mount points associated to each Operator Console container. - # + # # Specify each item in the array as follows: # # .. code-block:: yaml