From f035cc2bcfd825142926b6d4f122e3b586f88607 Mon Sep 17 00:00:00 2001 From: Aditya Thebe Date: Wed, 31 Jul 2024 15:38:45 +0545 Subject: [PATCH] feat: add impersonate permissin to mission-control role * Add mission-control-reader & mission-control-writer roles & bindings --- chart/templates/rbac.yaml | 65 ++++++++++++++++++++++++++++++++++++++- chart/values.yaml | 5 +++ 2 files changed, 69 insertions(+), 1 deletion(-) diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml index 1ec55e459..e533ed68c 100644 --- a/chart/templates/rbac.yaml +++ b/chart/templates/rbac.yaml @@ -12,9 +12,16 @@ metadata: apiVersion: rbac.authorization.k8s.io/v1 kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role metadata: - creationTimestamp: null name: {{ include "incident-commander.name" . }}-role rules: +{{- if .Values.serviceAccount.rbac.impersonate}} +- apiGroups: + - "" + resources: + - users + verbs: + - impersonate +{{- end}} - apiGroups: - mission-control.flanksource.com resources: @@ -118,3 +125,59 @@ subjects: - kind: ServiceAccount name: {{.Values.serviceAccount.name}} namespace: {{ .Release.Namespace }} +{{- if .Values.serviceAccount.rbac.impersonate}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role +metadata: + name: 'mission-control-reader-role' +rules: + - apiGroups: [''] + resources: ['configmaps', 'secrets'] + verbs: ['get', 'list', 'watch'] + - apiGroups: + - 'configs.flanksource.com' + - 'canaries.flanksource.com' + - 'mission-control.flanksource.com' + resources: ['*'] + verbs: ['get', 'list', 'watch'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role +metadata: + name: 'mission-control-writer-role' +rules: + - apiGroups: [''] + resources: ['configmaps', 'secrets'] + verbs: ['*'] + - apiGroups: + - 'configs.flanksource.com' + - 'canaries.flanksource.com' + - 'mission-control.flanksource.com' + resources: ['*'] + verbs: ['*'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}RoleBinding +metadata: + name: 'mission-control-reader-role-binding' +subjects: + - kind: User + name: 'mission-control-reader' +roleRef: + kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role + name: 'mission-control-reader-role' + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}RoleBinding +metadata: + name: 'mission-control-writer-role-binding' +subjects: + - kind: User + name: 'mission-control-writer' +roleRef: + kind: {{if .Values.serviceAccount.rbac.clusterRole}}Cluster{{end}}Role + name: 'mission-control-writer-role' + apiGroup: rbac.authorization.k8s.io +{{- end}} diff --git a/chart/values.yaml b/chart/values.yaml index e6aead924..01d6fb31c 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -35,6 +35,11 @@ serviceAccount: name: mission-control-sa annotations: {} rbac: + # Impersonate allows the service account to impersonate as + # - mission-control-reader-role + # - mission-control-writer-role + # This is used by kubeproxy. + impersonate: false # Whether to create cluster-wide or namespaced roles clusterRole: true # for secret management with valueFrom