feat: add view aggregated cluster role support (#6350)

* feat: add view aggregated cluster role support Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * release note Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * fix kuttl Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Co-authored-by: shuting <shuting@nirmata.com> Co-authored-by: treydock <tdockendorf@osc.edu>
2025-03-28 10:28:36 +00:00 · 2023-02-25 20:57:56 +01:00 · 2023-02-25 20:57:56 +01:00 · 3331b13561
commit 3331b13561
parent 3653130806
10 changed files with 95 additions and 14 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -32,3 +32,5 @@ annotations:
      description: no deployments can run with 0 replicas
    - kind: changed
      description: change dashboard title of kyverno grafana dashboard
+    - kind: added
+      description: view aggregated cluster role support
--- a/charts/kyverno/templates/rbac/_helpers.tpl
+++ b/charts/kyverno/templates/rbac/_helpers.tpl
@ -1,6 +1,6 @@
 {{/* vim: set filetype=mustache: */}}

-{{- define "kyverno.rbac.labels" -}}
+{{- define "kyverno.rbac.labels.admin" -}}
 {{- template "kyverno.labels.merge" (list
  (include "kyverno.labels.common" .)
  (include "kyverno.rbac.matchLabels" .)
@ -8,6 +8,14 @@
 ) -}}
 {{- end -}}

+{{- define "kyverno.rbac.labels.view" -}}
+{{- template "kyverno.labels.merge" (list
+  (include "kyverno.labels.common" .)
+  (include "kyverno.rbac.matchLabels" .)
+  "rbac.authorization.k8s.io/aggregate-to-view: 'true'"
+) -}}
+{{- end -}}
+
 {{- define "kyverno.rbac.matchLabels" -}}
 {{- template "kyverno.labels.merge" (list
  (include "kyverno.matchLabels.common" .)
@ -16,5 +24,5 @@
 {{- end -}}

 {{- define "kyverno.rbac.roleName" -}}
-{{ .Release.Name }}:admin
+{{ .Release.Name }}:rbac
 {{- end -}}
--- a/charts/kyverno/templates/rbac/policies.yaml
+++ b/charts/kyverno/templates/rbac/policies.yaml
@ -2,9 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "kyverno.rbac.roleName" . }}:policies
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:policies
  labels:
-    {{- include "kyverno.rbac.labels" . | nindent 4 }}
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
 rules:
  - apiGroups:
      - kyverno.io
@ -21,4 +21,23 @@ rules:
      - patch
      - update
      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:policies
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - cleanuppolicies
+      - clustercleanuppolicies
+      - policies
+      - clusterpolicies
+    verbs:
+      - get
+      - list
+      - watch
 {{- end -}}
--- a/charts/kyverno/templates/rbac/policyreports.yaml
+++ b/charts/kyverno/templates/rbac/policyreports.yaml
@ -2,9 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "kyverno.rbac.roleName" . }}:policyreports
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports
  labels:
-    {{- include "kyverno.rbac.labels" . | nindent 4 }}
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
 rules:
  - apiGroups:
      - wgpolicyk8s.io
@ -19,4 +19,21 @@ rules:
      - patch
      - update
      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - wgpolicyk8s.io
+    resources:
+      - policyreports
+      - clusterpolicyreports
+    verbs:
+      - get
+      - list
+      - watch
 {{- end -}}
--- a/charts/kyverno/templates/rbac/reports.yaml
+++ b/charts/kyverno/templates/rbac/reports.yaml
@ -2,9 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "kyverno.rbac.roleName" . }}:reports
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:reports
  labels:
-    {{- include "kyverno.rbac.labels" . | nindent 4 }}
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
 rules:
  - apiGroups:
      - kyverno.io
@ -21,4 +21,23 @@ rules:
      - patch
      - update
      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:reports
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - admissionreports
+      - clusteradmissionreports
+      - backgroundscanreports
+      - clusterbackgroundscanreports
+    verbs:
+      - get
+      - list
+      - watch
 {{- end -}}
--- a/charts/kyverno/templates/rbac/updaterequests.yaml
+++ b/charts/kyverno/templates/rbac/updaterequests.yaml
@ -2,9 +2,9 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ template "kyverno.rbac.roleName" . }}:updaterequests
+  name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests
  labels:
-    {{- include "kyverno.rbac.labels" . | nindent 4 }}
+    {{- include "kyverno.rbac.labels.admin" . | nindent 4 }}
 rules:
  - apiGroups:
      - kyverno.io
@ -18,4 +18,20 @@ rules:
      - patch
      - update
      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests
+  labels:
+    {{- include "kyverno.rbac.labels.view" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - updaterequests
+    verbs:
+      - get
+      - list
+      - watch
 {{- end -}}
--- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml
+++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml
@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kyverno:admin:policies
+  name: kyverno:rbac:admin:policies
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
--- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml
+++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml
@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kyverno:admin:policyreports
+  name: kyverno:rbac:admin:policyreports
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
--- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml
+++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml
@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kyverno:admin:reports
+  name: kyverno:rbac:admin:reports
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules:
--- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml
+++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml
@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: kyverno:admin:updaterequests
+  name: kyverno:rbac:admin:updaterequests
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
 rules: