Skip to content

Commit

Permalink
feat: ✨ migrate to endpointslices rbac
Browse files Browse the repository at this point in the history
  • Loading branch information
@mloiseleur
mloiseleur authored Jun 27, 2024
1 parent e43afd4 commit 0449b0b
Show file tree
Hide file tree
Showing 5 changed files with 141 additions and 24 deletions.
6 changes: 3 additions & 3 deletions traefik/VALUES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ Kubernetes: `>=1.22.0-0`
| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) |
| deployment.additionalVolumes | list | `[]` | Additional volumes available for use with initContainers and additionalContainers |
| deployment.annotations | object | `{}` | Additional deployment annotations (e.g. for jaeger-operator sidecar injection) |
| deployment.dnsConfig | object | `{}` | Custom pod DNS policy. Apply if `hostNetwork: true` dnsPolicy: ClusterFirstWithHostNet |
| deployment.dnsConfig | object | `{}` | Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core) |
| deployment.enabled | bool | `true` | Enable deployment |
| deployment.hostAliases | list | `[]` | Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/) |
| deployment.imagePullSecrets | list | `[]` | Additional imagePullSecrets |
| deployment.imagePullSecrets | list | `[]` | Pull secret for fetching traefik container image |
| deployment.initContainers | list | `[]` | Additional initContainers (e.g. for setting file permission as shown below) |
| deployment.kind | string | `"Deployment"` | Deployment or DaemonSet |
| deployment.labels | object | `{}` | Additional deployment labels (e.g. for filtering deployment by custom labels) |
Expand Down Expand Up @@ -81,7 +81,7 @@ Kubernetes: `>=1.22.0-0`
| image.pullPolicy | string | `"IfNotPresent"` | Traefik image pull policy |
| image.registry | string | `"docker.io"` | Traefik image host registry |
| image.repository | string | `"traefik"` | Traefik image repository |
| image.tag | string | `""` | defaults to appVersion |
| image.tag | string | `nil` | defaults to appVersion |
| ingressClass | object | `{"enabled":true,"isDefaultClass":true}` | Create a default IngressClass for Traefik |
| ingressRoute.dashboard.annotations | object | `{}` | Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) |
| ingressRoute.dashboard.enabled | bool | `true` | Create an IngressRoute for the dashboard |
Expand Down
29 changes: 21 additions & 8 deletions traefik/templates/rbac/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ rules:
- list
- watch
{{- if not .Values.rbac.namespaced }}
{{- if (semverCompare "<v3.1.0" (.Values.image.tag | default .Chart.AppVersion)) }}
- apiGroups:
- ""
resources:
Expand All @@ -33,6 +34,26 @@ rules:
- get
- list
- watch
{{- else }}
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
{{- if $.Values.hub.token }}
- get
{{- end }}
- list
- watch
{{- end }}
- apiGroups:
- ""
resources:
Expand Down Expand Up @@ -157,14 +178,6 @@ rules:
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- get
- watch
- apiGroups:
- coordination.k8s.io
resources:
Expand Down
29 changes: 21 additions & 8 deletions traefik/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ metadata:
labels:
{{- include "traefik.labels" $ | nindent 4 }}
rules:
{{- if (semverCompare "<v3.1.0" ($.Values.image.tag | default $.Chart.AppVersion)) }}
- apiGroups:
- ""
resources:
Expand All @@ -22,6 +23,26 @@ rules:
- get
- list
- watch
{{- else }}
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
{{- if $.Values.hub.token }}
- get
{{- end }}
- list
- watch
{{- end }}
# Required while https://github.com/traefik/traefik/issues/7097#issuecomment-1983581843
- apiGroups:
- ""
Expand Down Expand Up @@ -154,14 +175,6 @@ rules:
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- get
- watch
- apiGroups:
- coordination.k8s.io
resources:
Expand Down
99 changes: 95 additions & 4 deletions traefik/tests/rbac-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -639,6 +639,8 @@ tests:
- list
- watch
- it: should provide expected cluster rbac when k8s gw api is enabled
chart:
appVersion: v3.1.0
set:
experimental:
kubernetesGateway:
Expand Down Expand Up @@ -694,11 +696,21 @@ tests:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- template: rbac/clusterrole.yaml
contains:
path: rules
content:
apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- template: rbac/clusterrole.yaml
contains:
path: rules
Expand All @@ -725,6 +737,8 @@ tests:
- watch

- it: should provide expected role rbac when k8s gw api is enabled with rbac namespaced
chart:
appVersion: v3.1.0
set:
rbac:
namespaced: true
Expand Down Expand Up @@ -782,11 +796,21 @@ tests:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- template: rbac/role.yaml
contains:
path: rules
content:
apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- template: rbac/role.yaml
contains:
path: rules
Expand All @@ -800,6 +824,8 @@ tests:
- list
- watch
- it: should contain additional RBACS for hub
chart:
appVersion: v3.1.0
set:
hub:
token: xxx
Expand Down Expand Up @@ -870,8 +896,8 @@ tests:
resources:
- endpointslices
verbs:
- list
- get
- list
- watch
- template: rbac/clusterrole.yaml
contains:
Expand Down Expand Up @@ -931,6 +957,8 @@ tests:
- list
- watch
- it: should provide namespace'd RBACS for hub
chart:
appVersion: v3.1.0
set:
hub:
token: xxx
Expand Down Expand Up @@ -995,8 +1023,8 @@ tests:
resources:
- endpointslices
verbs:
- list
- get
- list
- watch
- template: rbac/role.yaml
contains:
Expand Down Expand Up @@ -1055,3 +1083,66 @@ tests:
- get
- list
- watch
- it: should provide expected namespace'd RBACS for version < v3.1
set:
image:
tag: v3.0.1
rbac:
namespaced: true
asserts:
- template: rbac/role.yaml
contains:
path: rules
content:
apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- template: rbac/role.yaml
notContains:
path: rules
content:
apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- get
- watch
- it: should provide expected RBACS for version < v3.1
set:
image:
tag: v3.0.1
asserts:
- template: rbac/clusterrole.yaml
contains:
path: rules
content:
apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- template: rbac/clusterrole.yaml
notContains:
path: rules
content:
apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- get
- watch

2 changes: 1 addition & 1 deletion traefik/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ image:
# -- Traefik image repository
repository: traefik
# -- defaults to appVersion
tag: ""
tag:
# -- Traefik image pull policy
pullPolicy: IfNotPresent

Expand Down

0 comments on commit 0449b0b

Please sign in to comment.