From ada34ebbc6d1be0d9213aa37036c33f0df9ca8d0 Mon Sep 17 00:00:00 2001 From: Rob Mason Date: Thu, 21 Oct 2021 19:03:01 +0100 Subject: [PATCH 1/2] Wrap all RBAC resources in a conditional based on values.rbac.create Signed-off-by: Rob Mason --- cmd/build/helmify/main.go | 16 ++++++++++++++++ .../static/templates/namespace-post-install.yaml | 5 ++++- .../static/templates/upgrade-crds-hook.yaml | 4 ++++ cmd/build/helmify/static/values.yaml | 2 ++ .../gatekeeper-manager-role-clusterrole.yaml | 2 ++ .../templates/gatekeeper-manager-role-role.yaml | 2 ++ ...r-manager-rolebinding-clusterrolebinding.yaml | 2 ++ ...tekeeper-manager-rolebinding-rolebinding.yaml | 2 ++ .../templates/namespace-post-install.yaml | 5 ++++- .../gatekeeper/templates/upgrade-crds-hook.yaml | 4 ++++ manifest_staging/charts/gatekeeper/values.yaml | 2 ++ 11 files changed, 44 insertions(+), 2 deletions(-) diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index e23703d4df6..f586dad80bb 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -23,6 +23,18 @@ var nameRegex = regexp.MustCompile(`(?m)^ name:[\s]+([\S]+)[\s]*$`) const DeploymentKind = "Deployment" +func isRbacKind(str string) bool { + rbacKinds := [4]string{"Role", "ClusterRole", "RoleBinding", "ClusterRoleBinding"} + result := false + for _, x := range rbacKinds { + if x == str { + result = true + break + } + } + return result +} + func extractKind(s string) (string, error) { matches := kindRegex.FindStringSubmatch(s) if len(matches) != 2 { @@ -117,6 +129,10 @@ func (ks *kindSet) Write() error { obj = strings.Replace(obj, " labels:", " labels:\n{{- include \"gatekeeper.podLabels\" . }}", 1) } + if isRbacKind(kind) { + obj = "{{- if .Values.rbac.create }}\n" + obj + "{{- end }}\n" + } + if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" { obj = strings.Replace(obj, "apiVersion: policy/v1beta1", "{{- if .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" }}\napiVersion: policy/v1\n{{ else }}\napiVersion: policy/v1beta1\n{{ end -}}", 1) } diff --git a/cmd/build/helmify/static/templates/namespace-post-install.yaml b/cmd/build/helmify/static/templates/namespace-post-install.yaml index b2388d5b1dd..41dabefd08a 100644 --- a/cmd/build/helmify/static/templates/namespace-post-install.yaml +++ b/cmd/build/helmify/static/templates/namespace-post-install.yaml @@ -60,6 +60,7 @@ metadata: "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -82,7 +83,9 @@ rules: - patch resourceNames: - {{ .Release.Namespace }} +{{- end }} --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -102,5 +105,5 @@ subjects: - kind: ServiceAccount name: gatekeeper-update-namespace-label namespace: {{ .Release.Namespace | quote }} - +{{- end }} {{- end }} diff --git a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml index 78fcaf81cd2..f8a7c81fdc3 100644 --- a/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml +++ b/cmd/build/helmify/static/templates/upgrade-crds-hook.yaml @@ -1,4 +1,5 @@ {{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14,7 +15,9 @@ rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "create", "update", "patch"] +{{- end }} --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -34,6 +37,7 @@ roleRef: kind: ClusterRole name: gatekeeper-admin-upgrade-crds apiGroup: rbac.authorization.k8s.io +{{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index a6ab8fd3b43..69c6fe4c124 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -89,3 +89,5 @@ psp: enabled: true upgradeCRDs: enabled: true +rbac: + create: true diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml index b148acb07bf..ea069c0b27b 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -163,3 +164,4 @@ rules: - patch - update - watch +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml index 73e2c5cf701..25b2e702f37 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-role-role.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -30,3 +31,4 @@ rules: - patch - update - watch +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml index 22194d2ad25..1fb9f6c87a5 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -16,3 +17,4 @@ subjects: - kind: ServiceAccount name: gatekeeper-admin namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml index 4bf6087dcec..fbe9580d57f 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -17,3 +18,4 @@ subjects: - kind: ServiceAccount name: gatekeeper-admin namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml index b2388d5b1dd..41dabefd08a 100644 --- a/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml +++ b/manifest_staging/charts/gatekeeper/templates/namespace-post-install.yaml @@ -60,6 +60,7 @@ metadata: "helm.sh/hook-weight": "-5" "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -82,7 +83,9 @@ rules: - patch resourceNames: - {{ .Release.Namespace }} +{{- end }} --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -102,5 +105,5 @@ subjects: - kind: ServiceAccount name: gatekeeper-update-namespace-label namespace: {{ .Release.Namespace | quote }} - +{{- end }} {{- end }} diff --git a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml index 78fcaf81cd2..f8a7c81fdc3 100644 --- a/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml +++ b/manifest_staging/charts/gatekeeper/templates/upgrade-crds-hook.yaml @@ -1,4 +1,5 @@ {{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14,7 +15,9 @@ rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "create", "update", "patch"] +{{- end }} --- +{{- if .Values.rbac.create }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -34,6 +37,7 @@ roleRef: kind: ClusterRole name: gatekeeper-admin-upgrade-crds apiGroup: rbac.authorization.k8s.io +{{- end }} --- apiVersion: v1 kind: ServiceAccount diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index a6ab8fd3b43..69c6fe4c124 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -89,3 +89,5 @@ psp: enabled: true upgradeCRDs: enabled: true +rbac: + create: true From 99a1f6d69918e4bbaccef8630a9e28782dcd000e Mon Sep 17 00:00:00 2001 From: Rob Mason Date: Sun, 31 Oct 2021 23:03:17 +0000 Subject: [PATCH 2/2] Update helmify README.md to reflect new rbac.create option Signed-off-by: Rob Mason --- cmd/build/helmify/static/README.md | 5 +++-- manifest_staging/charts/gatekeeper/README.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/cmd/build/helmify/static/README.md b/cmd/build/helmify/static/README.md index 5a3cfb93702..041ab22f000 100644 --- a/cmd/build/helmify/static/README.md +++ b/cmd/build/helmify/static/README.md @@ -65,8 +65,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | Parameter | Description | Default | | :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0-beta.2` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | psp.enabled | Enabled PodSecurityPolicy | `true` | @@ -115,6 +115,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | | service.type | Service type | `ClusterIP` | | service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| rbac.create | Enable the creation of RBAC resources | `true` | ## Contributing Changes diff --git a/manifest_staging/charts/gatekeeper/README.md b/manifest_staging/charts/gatekeeper/README.md index 5a3cfb93702..041ab22f000 100644 --- a/manifest_staging/charts/gatekeeper/README.md +++ b/manifest_staging/charts/gatekeeper/README.md @@ -65,8 +65,8 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | Parameter | Description | Default | | :------------------------------------------- | :------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | | postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0-beta.2` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.7.0-beta.2` | | postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | | postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | | psp.enabled | Enabled PodSecurityPolicy | `true` | @@ -115,6 +115,7 @@ _See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/websi | pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | | service.type | Service type | `ClusterIP` | | service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| rbac.create | Enable the creation of RBAC resources | `true` | ## Contributing Changes