refactor: helm admission controller rbac config (#6582)

* refactor: helm admission controller rbac config

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

* cluster roles

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

---------

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>

charts/kyverno/README.md

@@ -150,7 +150,6 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `resources` has been replaced with `admissionController.container.resources`
 - `service` has been replaced with `admissionController.service`
 - `metricsService` has been replaced with `admissionController.metricsService`
-
 - `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
 - `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
 - `envVars` has been replaced with `admissionController.container.extraEnvVars`
@@ -159,7 +158,9 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `extraContainers` has been replaced with `admissionController.extraContainers`
 - `podLabels` has been replaced with `admissionController.podLabels`
 - `podAnnotations` has been replaced with `admissionController.podAnnotations`
-- `securityContext` has been replaced with `admissionController.admissionController.container.securityContext` and `admissionController.admissionController.initContainer.securityContext`
+- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
+- `rbac` has been replaced with `admissionController.rbac`
+- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
 
 - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
 
@@ -214,10 +215,6 @@ The command removes all the Kubernetes components associated with the chart and
 | test.resources.requests | object | `{"cpu":"10m","memory":"64Mi"}` | Pod resource requests |
 | test.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsGroup":65534,"runAsNonRoot":true,"runAsUser":65534,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the test containers |
 | customLabels | object | `{}` | Additional labels |
-| rbac.create | bool | `true` | Create ClusterRoles, ClusterRoleBindings, and ServiceAccount |
-| rbac.serviceAccount.create | bool | `true` | Create a ServiceAccount |
-| rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
-| rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
 | generatecontrollerExtraResources | list | `[]` | Additional resources to be added to controller RBAC permissions. |
 | excludeKyvernoNamespace | bool | `true` | Exclude Kyverno namespace Determines if default Kyverno namespace exclusion is enabled for webhooks and resourceFilters |
 | resourceFiltersExcludeNamespaces | list | `[]` | resourceFilter namespace exclude Namespaces to exclude from the default resourceFilters |
@@ -229,6 +226,10 @@ The command removes all the Kubernetes components associated with the chart and
 | grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
 | grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
 | grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
+| admissionController.rbac.create | bool | `true` | Create RBAC resources |
+| admissionController.rbac.serviceAccount.name | string | `nil` | The ServiceAccount name |
+| admissionController.rbac.serviceAccount.annotations | object | `{}` | Annotations for the ServiceAccount |
+| admissionController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
 | admissionController.createSelfSignedCert | bool | `false` | Create self-signed certificates at deployment time. The certificates won't be automatically renewed if this is set to `true`. |
 | admissionController.replicas | int | `nil` | Desired number of pods |
 | admissionController.podLabels | object | `{}` | Additional labels to add to each pod |

charts/kyverno/README.md.gotmpl

@@ -150,7 +150,6 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `resources` has been replaced with `admissionController.container.resources`
 - `service` has been replaced with `admissionController.service`
 - `metricsService` has been replaced with `admissionController.metricsService`
-
 - `initContainer.extraArgs` has been replaced with `admissionController.initContainer.extraArgs`
 - `envVarsInit` has been replaced with `admissionController.initContainer.extraEnvVars`
 - `envVars` has been replaced with `admissionController.container.extraEnvVars`
@@ -159,7 +158,9 @@ In `v3` chart values changed significantly, please read the instructions below t
 - `extraContainers` has been replaced with `admissionController.extraContainers`
 - `podLabels` has been replaced with `admissionController.podLabels`
 - `podAnnotations` has been replaced with `admissionController.podAnnotations`
-- `securityContext` has been replaced with `admissionController.admissionController.container.securityContext` and `admissionController.admissionController.initContainer.securityContext`
+- `securityContext` has been replaced with `admissionController.container.securityContext` and `admissionController.initContainer.securityContext`
+- `rbac` has been replaced with `admissionController.rbac`
+- `generatecontrollerExtraResources` has been replaced with `admissionController.rbac.clusterRole.extraResources`
 
 - Labels and selectors have been reworked and due to immutability, upgrading from `v2` to `v3` is going to be rejected. The easiest solution is to uninstall `v2` and reinstall `v3` once values have been adapted to the changes described above.
 

charts/kyverno/templates/admission-controller/_helpers.tpl

@@ -23,10 +23,10 @@
 {{- end -}}
 
 {{- define "kyverno.admission-controller.serviceAccountName" -}}
-{{- if .Values.rbac.serviceAccount.create -}}
-    {{ default (include "kyverno.admission-controller.name" .) .Values.rbac.serviceAccount.name }}
+{{- if .Values.admissionController.rbac.create -}}
+    {{ default (include "kyverno.admission-controller.name" .) .Values.admissionController.rbac.serviceAccount.name }}
 {{- else -}}
-    {{ default "default" .Values.rbac.serviceAccount.name }}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.admissionController.rbac.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
 

charts/kyverno/templates/admission-controller/clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if .Values.admissionController.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -7,96 +7,96 @@ metadata:
     {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
 aggregationRule:
   clusterRoleSelectors:
-  - matchLabels:
-      {{- include "kyverno.admission-controller.matchLabels" . | nindent 6 }}
+    - matchLabels:
+        {{- include "kyverno.admission-controller.matchLabels" . | nindent 8 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "kyverno.admission-controller.roleName" . }}:userinfo
-  labels:
-    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - rbac.authorization.k8s.io
-  resources:
-    - roles
-    - clusterroles
-    - rolebindings
-    - clusterrolebindings
-  verbs:
-    - watch
-    - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.admission-controller.roleName" . }}:policies
-  labels:
-    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-    - kyverno.io
-  resources:
-    - policies
-    - policies/status
-    - clusterpolicies
-    - clusterpolicies/status
-    - updaterequests
-    - updaterequests/status
-    - admissionreports
-    - clusteradmissionreports
-    - backgroundscanreports
-    - clusterbackgroundscanreports
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
-- apiGroups:
-    - wgpolicyk8s.io
-  resources:
-    - policyreports
-    - policyreports/status
-    - clusterpolicyreports
-    - clusterpolicyreports/status
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.admission-controller.roleName" . }}:view
-  labels:
-    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - '*'
-  resources:
-  - '*'
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.admission-controller.roleName" . }}:generate
+  name: {{ template "kyverno.admission-controller.roleName" . }}:core
   labels:
     {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
 rules:
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
+      - mutatingwebhookconfigurations
+      - validatingwebhookconfigurations
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - rbac.authorization.k8s.io
+    resources:
+      - roles
+      - clusterroles
+      - rolebindings
+      - clusterrolebindings
+    verbs:
+      - watch
+      - list
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - policies
+      - policies/status
+      - clusterpolicies
+      - clusterpolicies/status
+      - updaterequests
+      - updaterequests/status
+      - admissionreports
+      - clusteradmissionreports
+      - backgroundscanreports
+      - clusterbackgroundscanreports
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - policyreports/status
+      - clusterpolicyreports
+      - clusterpolicyreports/status
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - ''
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - update
+      - patch
+      - delete
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - networking.k8s.io
     resources:
@@ -131,56 +131,15 @@ rules:
       - update
       - patch
       - delete
-  {{- if .Values.generatecontrollerExtraResources }}
-  - apiGroups:
-      - '*'
-    resources:
-    {{- range .Values.generatecontrollerExtraResources }}
-      - {{ . }}
-    {{- end }}
-    verbs:
-      - create
-      - update
-      - delete
-  {{- end }}
+{{- with .Values.admissionController.rbac.clusterRole.extraResources }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "kyverno.admission-controller.roleName" . }}:events
+  name: {{ template "kyverno.admission-controller.roleName" $ }}:additional
   labels:
-    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
+    {{- include "kyverno.admission-controller.labels" $ | nindent 4 }}
 rules:
-- apiGroups:
-  - ''
-  - events.k8s.io
-  resources:
-  - events
-  verbs:
-  - create
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "kyverno.admission-controller.roleName" . }}:webhook
-  labels:
-    {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  - validatingwebhookconfigurations
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
-  - deletecollection
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 {{- end }}

charts/kyverno/templates/admission-controller/clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.admissionController.rbac.create -}}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

charts/kyverno/templates/admission-controller/role.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.admissionController.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:

charts/kyverno/templates/admission-controller/rolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.admissionController.rbac.create -}}
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

charts/kyverno/templates/admission-controller/serviceaccount.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if .Values.admissionController.rbac.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -6,7 +6,7 @@ metadata:
   namespace: {{ template "kyverno.namespace" . }}
   labels:
     {{- include "kyverno.admission-controller.labels" . | nindent 4 }}
-  {{- with .Values.rbac.serviceAccount.annotations }}
+  {{- with .Values.admissionController.rbac.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}

charts/kyverno/templates/rbac/policies.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.admissionController.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

charts/kyverno/templates/rbac/policyreports.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.admissionController.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

charts/kyverno/templates/rbac/reports.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.admissionController.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

charts/kyverno/templates/rbac/updaterequests.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create -}}
+{{- if .Values.admissionController.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:

charts/kyverno/values.yaml

@@ -199,18 +199,6 @@ test:
 # -- Additional labels
 customLabels: {}
 
-rbac:
-  # -- Create ClusterRoles, ClusterRoleBindings, and ServiceAccount
-  create: true
-  serviceAccount:
-    # -- Create a ServiceAccount
-    create: true
-    # -- The ServiceAccount name
-    name:
-    # -- Annotations for the ServiceAccount
-    annotations: {}
-      # example.com/annotation: value
-
 # -- Additional resources to be added to controller RBAC permissions.
 generatecontrollerExtraResources: []
 # - ResourceA
@@ -254,6 +242,30 @@ grafana:
 # Admission controller configuration
 admissionController:
 
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- The ServiceAccount name
+      name:
+
+      # -- Annotations for the ServiceAccount
+      annotations: {}
+        # example.com/annotation: value
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+      # - apiGroups:
+      #     - ''
+      #   resources:
+      #     - pods
+      #   verbs:
+      #     - create
+      #     - update
+      #     - delete
+
   # -- Create self-signed certificates at deployment time.
   # The certificates won't be automatically renewed if this is set to `true`.
   createSelfSignedCert: false