Skip to content

Commit

Permalink
Add correct permissions for monitoring service and make its creation …
Browse files Browse the repository at this point in the history
…optional (#42)

* fix monitoring errors and make creation optional

* fix role

* fix typos

* implement changes

Co-authored-by: Henning <[email protected]>
  • Loading branch information
YannikBramkamp and hensur authored Jul 28, 2021
1 parent cfd61d1 commit fc4e64e
Show file tree
Hide file tree
Showing 8 changed files with 147 additions and 2 deletions.
20 changes: 20 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,16 @@ install: ## Install all resources (RBAC and Operator)
@echo ....... Applying Operator .......
kubectl apply -f deploy/operator.yaml -n ${NAMESPACE}

.PHONY: installwithmonitoring
installwithmonitoring: ## Install all resources (RBAC and Operator) with monitoring role
@echo ....... Applying Rules and Service Account .......
kubectl apply -f deploy/role_with_service_permissions.yaml -n ${NAMESPACE}
kubectl apply -f deploy/role_binding.yaml -n ${NAMESPACE}
kubectl apply -f deploy/service_account.yaml -n ${NAMESPACE}
@echo ....... Applying Operator .......
kubectl apply -f deploy/operator.yaml -n ${NAMESPACE}


.PHONY: uninstall
uninstall: ## Uninstall all that all performed in the $ make install
@echo ....... Uninstalling .......
Expand All @@ -21,6 +31,16 @@ uninstall: ## Uninstall all that all performed in the $ make install
@echo ....... Deleting Operator .......
kubectl delete -f deploy/operator.yaml -n ${NAMESPACE}

.PHONY: uninstallwithmonitoring
uninstallwithmonitoring: ## Uninstall all that all performed in the $ make installwithmonitoring
@echo ....... Uninstalling .......
@echo ....... Deleting Rules and Service Account .......
kubectl delete -f deploy/role_with_service_permissions.yaml -n ${NAMESPACE}
kubectl delete -f deploy/role_binding.yaml -n ${NAMESPACE}
kubectl delete -f deploy/service_account.yaml -n ${NAMESPACE}
@echo ....... Deleting Operator .......
kubectl delete -f deploy/operator.yaml -n ${NAMESPACE}

.PHONY: test
test: kind
@echo go test
Expand Down
2 changes: 2 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ You might want to take a look a the [values.yaml](deploy/helm-chart/kubernetes-s

- `watchNamespace` defines, which namespaces should be watched for secret objects.

- `useMetricsService` toggles whether the operator should provide a service for metrics monitoring by Prometheus. If this is set to true, the operator will start with additional permissions, namely `get` permissions for `replicasets` and `deployments` in the apiGroup `apps`, as well as `create` permissions for `services` and create the needed services during startup.

To watch a single namespace, set it to the desired namespace name.
Multiple namespaces are supported and can be set as a comma-separated list: `ns1,ns2`.

Expand Down
7 changes: 5 additions & 2 deletions cmd/manager/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ func main() {
pflag.String("secret-length", "40", "Secret length")
pflag.Int("ssh-key-length", 2048, "Default length of SSH Keys")
pflag.String("secret-encoding", "base64", "Encoding for secrets")
pflag.Bool("use-metrics-service", false, "Whether or not to use metrics service")
pflag.Parse()

// Import flags into viper and bind them to env vars
Expand Down Expand Up @@ -177,8 +178,10 @@ func main() {
os.Exit(1)
}

// Add the Metrics Service
addMetrics(ctx, cfg)
if viper.GetBool("use-metrics-service") {
// Add the Metrics Service
addMetrics(ctx, cfg)
}

log.Info("Starting the Cmd.")

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@ spec:
value: {{ .Values.regenerateInsecure | quote }}
- name: SECRET_LENGTH
value: {{ .Values.secretLength | quote }}
- name: USE_METRICS_SERVICE
value: {{ .Values.useMetricsService | quote }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.nodeSelector }}
Expand Down
58 changes: 58 additions & 0 deletions deploy/helm-chart/kubernetes-secret-generator/templates/role.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,61 @@
{{- if .Values.rbac.create -}}
{{- if .Values.useMetricsService -}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: "mittwald:{{ include "kubernetes-secret-generator.serviceAccountName" . }}"
labels:
{{ include "kubernetes-secret-generator.labels" . | nindent 4 }}
rules:
# leader election
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- apiGroups:
- "apps"
resources:
- deployments
- replicasets
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- "get"
- "create"
{{- if and .Values.rbac.create (not .Values.rbac.clusterRole) }}
# Permissions to access secrets in this namespace if no cluster role is created.
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- update
{{- end -}}
{{- else -}}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand Down Expand Up @@ -42,3 +99,4 @@ rules:
- update
{{- end -}}
{{- end -}}
{{- end -}}
3 changes: 3 additions & 0 deletions deploy/helm-chart/kubernetes-secret-generator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,8 @@ secretLength: 40
# Accessing secrets in namespaces other than the deployed one requires permissions via a cluster role (on by default)
watchNamespace: ""

useMetricsService: false

# RBAC parameteres
# https://kubernetes.io/docs/reference/access-authn-authz/rbac/
rbac:
Expand All @@ -64,3 +66,4 @@ rbac:
# Set to false to restrict access to the deployed namespace only.
# ClusterRole is deployed by Default
clusterRole: true

2 changes: 2 additions & 0 deletions deploy/operator.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,5 @@ spec:
value: "true"
- name: SECRET_LENGTH
value: "40"
- name: USE_METRICS_SERVICE
value: "false"
55 changes: 55 additions & 0 deletions deploy/role_with_service_permissions.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-secret-generator
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- apiGroups:
- "apps"
resources:
- deployments
- replicasets
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- create
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
- get
- apiGroups:
- monitoring.coreos.com
resources:
- servicemonitors
verbs:
- "get"
- "create"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kubernetes-secret-generator
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- update

0 comments on commit fc4e64e

Please sign in to comment.