chore: add rbac for mission to lookup secrets

flanksource · Mar 21, 2024 · 54f299c · 54f299c
1 parent 117d483
commit 54f299c
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 11 deletions.
diff --git a/agent-chart/templates/deployment.yaml b/agent-chart/templates/deployment.yaml
@@ -14,11 +14,11 @@ spec:
       labels:
         {{- include "incident-commander.selectorLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "incident-commander.fullname" . }}-sa
+      serviceAccountName: {{ include "incident-commander.name" . }}-sa
       volumes:
         - name: properties-config
           configMap:
-            name: {{ include "incident-commander.fullname" . }}-properties-config
+            name: {{ include "incident-commander.name" . }}-properties-config
       containers:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"

diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -14,11 +14,11 @@ spec:
       labels:
         {{- include "incident-commander.selectorLabels" . | nindent 8 }}
     spec:
-      serviceAccountName: {{ include "incident-commander.fullname" . }}-sa
+      serviceAccountName: {{ include "incident-commander.name" . }}-sa
       volumes:
         - name: properties-config
           configMap:
-            name: {{ include "incident-commander.fullname" . }}-properties-config
+            name: {{ include "incident-commander.name" . }}-properties-config
       {{- if ne .Values.identityRoleMapper.configMap.name ""}}
         - name: identity-role-mapper
           configMap:

diff --git a/chart/templates/properties-configmap.yaml b/chart/templates/properties-configmap.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "incident-commander.fullname" . }}-properties-config
+  name: {{ include "incident-commander.name" . }}-properties-config
   labels:
     {{- include "incident-commander.labels" . | nindent 4 }}
 data:

diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml
@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ include "incident-commander.fullname" . }}-sa
+  name: {{ include "incident-commander.name" . }}-sa
   labels:
     {{- include "incident-commander.labels" . | nindent 4 }}
   {{- with .Values.serviceAccount.annotations }}
@@ -10,7 +10,7 @@ metadata:
   {{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
 metadata:
   creationTimestamp: null
   name: {{ include "incident-commander.name" . }}-role
@@ -50,16 +50,71 @@ rules:
   - get
   - patch
   - update
+{{- if .Values.serviceAccount.rbac.secrets}}
+- apiGroups:
+    - v1
+  resources:
+    - secrets
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.configmaps}}
+- apiGroups:
+    - v1
+  resources:
+    - configmaps
+  verbs:
+    - get
+    - list
+{{- end}}
+{{- if .Values.serviceAccount.rbac.exec}}
+- apiGroups: [""]
+  resources:
+    - pods/attach
+    - pods/exec
+    - pods/log
+  verbs:
+    - '*'
+{{- end}}
+{{- if .Values.serviceAccount.rbac.podRun}}
+- apiGroups: [""]
+  resources:
+    - pods/attach
+    - pods/exec
+    - pods/log
+    - pods
+  verbs:
+    - '*'
+{{- end}}
+{{- if .Values.serviceAccount.rbac.tokenRequest}}
+- apiGroups:
+    - authentication.k8s.io/v1
+  resources:
+    - serviceaccounts/token
+  verbs:
+    - create
+{{- end}}
+{{- if .Values.serviceAccount.rbac.readAll}}
+- apiGroups:
+    - "*"
+  resources:
+    - "*"
+  verbs:
+    - list
+    - get
+    - watch
+{{- end}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}RoleBinding
 metadata:
-  name: {{ include "incident-commander.fullname" . }}-rolebinding
+  name: {{ include "incident-commander.name" . }}-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role
   name: {{ include "incident-commander.name" . }}-role
 subjects:
   - kind: ServiceAccount
-    name: {{ include "incident-commander.fullname" . }}-sa
+    name: {{ include "incident-commander.name" . }}-sa
     namespace: {{ .Release.Namespace }}
diff --git a/chart/values.yaml b/chart/values.yaml
@@ -27,6 +27,24 @@ global:
 serviceAccount:
   # Annotations to add to the service account
   annotations: {}
+  rbac:
+    # Whether to create cluster-wide or namespaced roles
+    clusterRole: true
+
+    # for secret management with valueFrom
+    tokenRequest: true
+    secrets: true
+    configmaps: true
+
+    # for use with kubernetes resource lookups
+    readAll: true
+
+    # Playbook pod actions
+    podRun: true
+
+    # exec
+    exec: true
+
 extraArgs: {}
 externalPostgrest:
   enable: true