Support Namespaced RBAC (#477)

* add role / rolebinding

* templating updates

* codegen test

* add changelog

Author: conradhanson

changelog/v0.33.1/namespace-rbac.yaml

@@ -0,0 +1,6 @@
+changelog:
+  - type: NEW_FEATURE
+    issueLink:   https://github.com/solo-io/gloo-mesh-enterprise/issues/10521
+    description: >
+      Add the ability to specify namespace-scoped rbac policies.
+    resolvesIssue: false

codegen/cmd_test.go

@@ -57,7 +57,7 @@ var _ = Describe("Cmd", func() {
 								DefaultPort: 9900,
 							}},
 						},
-						Rbac: []rbacv1.PolicyRule{{
+						ClusterRbac: []rbacv1.PolicyRule{{
 							Verbs:     []string{"*"},
 							APIGroups: []string{"coordination.k8s.io"},
 							Resources: []string{"leases"},
@@ -1230,7 +1230,7 @@ var _ = Describe("Cmd", func() {
 					{
 						Name:                  "painter",
 						CustomEnableCondition: "and $painter.enabled $.Values.test1.enabled $.Values.test2.enabled",
-						Rbac: []rbacv1.PolicyRule{
+						ClusterRbac: []rbacv1.PolicyRule{
 							{
 								Verbs: []string{"GET"},
 							},
@@ -1337,7 +1337,7 @@ var _ = Describe("Cmd", func() {
 					{
 						Name:                   "painter",
 						NamespaceFromValuePath: "$.Values.common.namespace",
-						Rbac: []rbacv1.PolicyRule{
+						ClusterRbac: []rbacv1.PolicyRule{
 							{
 								Verbs: []string{"GET"},
 							},
@@ -1816,6 +1816,115 @@ roleRef:
 			map[string]interface{}{"FOO": map[string]interface{}{"valueFrom": map[string]interface{}{"secretKeyRef": map[string]interface{}{"name": "bar", "key": "baz"}}}},
 			[]v1.EnvVar{{Name: "FOO", ValueFrom: &v1.EnvVarSource{SecretKeyRef: &v1.SecretKeySelector{LocalObjectReference: v1.LocalObjectReference{Name: "bar"}, Key: "baz"}}}}),
 	)
+
+	It("can configure cluster-scoped and namespace-scoped RBAC", func() {
+		cmd := &Command{
+			RenderProtos: false,
+			Chart: &Chart{
+				Operators: []Operator{
+					{
+						Name:                  "painter",
+						CustomEnableCondition: "$painter.enabled",
+						ClusterRbac: []rbacv1.PolicyRule{
+							{
+								Verbs: []string{"GET"},
+							},
+						},
+						NamespaceRbac: []rbacv1.PolicyRule{
+							{
+								Verbs:     []string{"GET", "LIST", "WATCH"},
+								APIGroups: []string{""},
+								Resources: []string{"secrets"},
+							},
+						},
+					},
+				},
+				Values: nil,
+				Data: Data{
+					ApiVersion:  "v1",
+					Description: "",
+					Name:        "Painting Operator",
+					Version:     "v0.0.1",
+					Home:        "https://docs.solo.io/skv2/latest",
+					Sources: []string{
+						"https://github.com/solo-io/skv2",
+					},
+				},
+			},
+
+			ManifestRoot: "codegen/test/chart",
+		}
+
+		Expect(cmd.Execute()).NotTo(HaveOccurred(), "failed to execute command")
+
+		absPath, err := filepath.Abs("./codegen/test/chart/templates/rbac.yaml")
+		Expect(err).NotTo(HaveOccurred(), "failed to get abs path")
+
+		rbac, err := os.ReadFile(absPath)
+		Expect(err).NotTo(HaveOccurred(), "failed to read rbac.yaml")
+		roleTmpl := `
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: painter
+  namespace: {{ default .Release.Namespace $.Values.painter.namespace }}
+  labels:
+    app: painter
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - GET
+  - LIST
+  - WATCH`
+		roleBindingTmpl := `
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: painter
+  namespace: {{ default .Release.Namespace $.Values.painter.namespace }}
+  labels:
+    app: painter
+subjects:
+- kind: ServiceAccount
+  name: painter
+  namespace: {{ default .Release.Namespace $.Values.painter.namespace }}
+roleRef:
+  kind: Role
+  name: painter
+  apiGroup: rbac.authorization.k8s.io`
+		clusterRoleTmpl := `
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: painter-{{ default .Release.Namespace $.Values.painter.namespace }}
+  labels:
+    app: painter
+rules:
+- verbs:
+  - GET`
+		clusterRoleBindingTmpl := `
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: painter-{{ default .Release.Namespace $.Values.painter.namespace }}
+  labels:
+    app: painter
+subjects:
+- kind: ServiceAccount
+  name: painter
+  namespace: {{ default .Release.Namespace $.Values.painter.namespace }}
+roleRef:
+  kind: ClusterRole
+  name: painter-{{ default .Release.Namespace $.Values.painter.namespace }}
+  apiGroup: rbac.authorization.k8s.io`
+		Expect(rbac).To(ContainSubstring(roleTmpl))
+		Expect(rbac).To(ContainSubstring(roleBindingTmpl))
+		Expect(rbac).To(ContainSubstring(clusterRoleTmpl))
+		Expect(rbac).To(ContainSubstring(clusterRoleBindingTmpl))
+	})
 })
 
 func helmTemplate(path string, values interface{}) []byte {

codegen/model/chart.go

@@ -76,7 +76,10 @@ type Operator struct {
 	Deployment Deployment
 
 	// these populate the generated ClusterRole for the operator
-	Rbac []rbacv1.PolicyRule
+	ClusterRbac []rbacv1.PolicyRule
+
+	// these populate the generated Role for the operator
+	NamespaceRbac []rbacv1.PolicyRule
 
 	// if at least one port is defined, create a Service for it
 	Service Service

codegen/templates/chart/operator-rbac.yamltmpl

@@ -6,7 +6,7 @@ Expressions evaluating SKv2 Config use [[ "[[" ]] and [[ "]]" ]]
 
 [[- range $operator := $.Operators -]]
 [[- $operatorVar := (lower_camel $operator.Name) -]]
-[[- if $operator.Rbac ]]
+[[- if or $operator.ClusterRbac $operator.NamespaceRbac ]]
 # Rbac manifests for [[ $operator.Name ]]
 
 {{- $[[ $operatorVar ]] := [[ (opVar $operator)]] }}
@@ -16,6 +16,7 @@ Expressions evaluating SKv2 Config use [[ "[[" ]] and [[ "]]" ]]
 [[- $operatorEnabledCondition = printf "\n{{- if %s }}\n" $operator.CustomEnableCondition -]]
 [[- end -]]
 [[- $operatorEnabledCondition -]]
+[[- if $operator.ClusterRbac ]]
 ---
 
 kind: ClusterRole
@@ -29,7 +30,7 @@ metadata:
   labels:
     app: [[ $operator.Name ]]
 rules:
-[[ toYaml $operator.Rbac ]]
+[[ toYaml $operator.ClusterRbac ]]
 [[- range $container := containerConfigs $operator -]]
 [[- if and ($container.Rbac) (gt (len $container.EnableStatement) 0) ]]
 [[ printf "{{- if %s }}" $container.EnableStatement ]]
@@ -70,6 +71,52 @@ roleRef:
 [[- end ]]
   apiGroup: rbac.authorization.k8s.io
 
-{{- end }}
+[[- end ]][[/* if $operator.ClusterRbac */]]
+
+[[- if $operator.NamespaceRbac ]]
+---
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: [[ $operator.Name ]]
+[[- if $operator.NamespaceFromValuePath ]]
+  namespace: [[ printf "{{ %s | default $.Release.Namespace }}" $operator.NamespaceFromValuePath ]]
+[[- else ]]
+  namespace: {{ default .Release.Namespace [[ (opVar $operator) ]].namespace }}
+[[- end ]]
+  labels:
+    app: [[ $operator.Name ]]
+rules:
+[[ toYaml $operator.NamespaceRbac ]]
+
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: [[ $operator.Name ]]
+[[- if $operator.NamespaceFromValuePath ]]
+  namespace: [[ printf "{{ %s | default $.Release.Namespace }}" $operator.NamespaceFromValuePath ]]
+[[- else ]]
+  namespace: {{ default .Release.Namespace [[ (opVar $operator) ]].namespace }}
 [[- end ]]
+  labels:
+    app: [[ $operator.Name ]]
+subjects:
+- kind: ServiceAccount
+  name: [[ $operator.Name ]]
+[[- if $operator.NamespaceFromValuePath ]]
+  namespace: [[ printf "{{ %s | default $.Release.Namespace }}" $operator.NamespaceFromValuePath ]]
+[[- else ]]
+  namespace: {{ default .Release.Namespace [[ (opVar $operator) ]].namespace }}
 [[- end ]]
+roleRef:
+  kind: Role
+  name: [[ $operator.Name ]]
+  apiGroup: rbac.authorization.k8s.io
+
+[[- end ]][[/* if $operator.NamespaceRbac */]]
+{{- end }}[[/* $operatorEnabledCondition */]]
+[[- end ]][[/* if or $operator.ClusterRbac $operator.NamespaceRbac */]]
+[[- end ]][[/* range $operator := $.Operators */]]

codegen/test/chart/conditional-sidecar/templates/rbac.yaml

@@ -5,6 +5,7 @@
 
 {{- $glooMgmtServer := $.Values.glooMgmtServer }}
 {{- if $glooMgmtServer.enabled -}}
+
 ---
 
 kind: ClusterRole
@@ -44,5 +45,4 @@ roleRef:
   kind: ClusterRole
   name: gloo-mgmt-server-{{ default .Release.Namespace $.Values.glooMgmtServer.namespace }}
   apiGroup: rbac.authorization.k8s.io
-
 {{- end }}

codegen/test/chart/templates/deployment.yaml

@@ -14,41 +14,31 @@ kind: Deployment
 metadata:
   labels:
     app: painter
-    deployment: labels
   annotations:
     app.kubernetes.io/name: painter
-    deployment: annotation
   name: painter
   namespace: {{ default .Release.Namespace $.Values.painter.namespace }}
 spec:
   selector:
     matchLabels:
       app: painter
-      pod: labels
   template:
     metadata:
       labels:
         app: painter
-        pod: labels
       annotations:
         app.kubernetes.io/name: painter
         prometheus.io/path: /metrics
         prometheus.io/port: "9091"
         prometheus.io/scrape: "true"
-        pod: annotations
     spec:
       serviceAccountName: painter
-      volumes:
-      - emptyDir: {}
-        name: paint
       containers:
 {{- $painter := $.Values.painter }}
 {{- $painterImage := $painter.image }}
       - name: painter
         image: {{ $painterImage.registry }}/{{ $painterImage.repository }}:{{ $painterImage.tag }}
         imagePullPolicy: {{ $painterImage.pullPolicy }}
-        args:
-        - foo
 {{- if $painter.env }}
         env:
 {{ toYaml $painter.env | indent 10 }}
@@ -89,77 +79,14 @@ spec:
             drop:
             - ALL
 {{- end }}
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 8080
-          initialDelaySeconds: 5
-          periodSeconds: 10
-{{- $palette := $.Values.painter.sidecars.palette }}
-{{- $paletteImage := $palette.image }}
-      - name: palette
-        image: {{ $paletteImage.registry }}/{{ $paletteImage.repository }}:{{ $paletteImage.tag }}
-        imagePullPolicy: {{ $paletteImage.pullPolicy }}
-        args:
-        - bar
-        - baz
-{{- if $palette.env }}
-        env:
-{{ toYaml $palette.env | indent 10 }}
-{{- else if $palette.extraEnvs }}
-        env:
-{{- end }}
-{{- range $name, $item := $palette.extraEnvs }}
-          - name: {{ $name }}
-{{- $item | toYaml | nindent 12 }}
-{{- end }}
-        volumeMounts:
-        - mountPath: /etc/paint
-          name: paint
-        resources:
-{{- if $palette.resources }}
-{{ toYaml $palette.resources | indent 10}}
-{{- else}}
-          requests:
-            cpu: 500m
-            memory: 256Mi
-{{- end }}
-        {{- /*
-          Render securityContext configs if it is set.
-          If securityContext is not set, render the default securityContext.
-          If securityContext is set to 'false', render an empty map.
-        */}}
-        securityContext:
-{{- if or ($palette.securityContext) (eq "map[]" (printf "%v" $palette.securityContext)) }}
-{{ toYaml $palette.securityContext | indent 10}}
-{{/* Because securityContext is nil by default we can only perform following conversion if it is a boolean. Skip conditional otherwise. */}}
-{{- else if eq (ternary $palette.securityContext true (eq "bool" (printf "%T" $palette.securityContext))) false }}
-          {}
-{{- else}}
-          runAsNonRoot: true
-          {{- if not $painter.floatingUserId }}
-          runAsUser: {{ printf "%.0f" (float64 $painter.runAsUser) }}
-          {{- end }}
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - ALL
-{{- end }}
-        livenessProbe:
-          httpGet:
-            path: /
-            port: 8080
-          initialDelaySeconds: 30
-          periodSeconds: 60
       {{- if $painterImage.pullSecret }}
       imagePullSecrets:
         - name: {{ $painterImage.pullSecret }}
       {{- end}}
 {{- end }} {{/* define "painter.deploymentSpec" */}}
 
 {{/* Render painter deployment template with overrides from values*/}}
-{{- if $painter.enabled -}}
+{{- if $painter.enabled }}
 {{- $painterDeploymentOverrides := dict }}
 {{- if $painter.deploymentOverrides }}
 {{- $painterDeploymentOverrides = $painter.deploymentOverrides  }}
@@ -168,7 +95,7 @@ spec:
 {{ include "skv2.utils.merge" (list . $painterDeploymentOverrides "painter.deploymentSpec") }}
 {{- end }}
 ---
-{{- if $painter.enabled -}}
+{{- if $painter.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -190,7 +117,7 @@ metadata:
 {{- define "painter.serviceSpec"}}
 
 {{- end }} {{/* define "painter.serviceSpec" */}}
-{{- if $painter.enabled -}}
+{{- if $painter.enabled }}
 {{/* Render painter service template with overrides from values*/}}
 {{- $painterServiceOverrides := dict }}
 {{- if $painter.serviceOverrides }}