diff --git a/charts/kyverno/Chart.yaml b/charts/kyverno/Chart.yaml index 1bf115b786..170b35d4e5 100644 --- a/charts/kyverno/Chart.yaml +++ b/charts/kyverno/Chart.yaml @@ -32,3 +32,5 @@ annotations: description: no deployments can run with 0 replicas - kind: changed description: change dashboard title of kyverno grafana dashboard + - kind: added + description: view aggregated cluster role support diff --git a/charts/kyverno/templates/rbac/_helpers.tpl b/charts/kyverno/templates/rbac/_helpers.tpl index 911f6e4348..89c21927ae 100644 --- a/charts/kyverno/templates/rbac/_helpers.tpl +++ b/charts/kyverno/templates/rbac/_helpers.tpl @@ -1,6 +1,6 @@ {{/* vim: set filetype=mustache: */}} -{{- define "kyverno.rbac.labels" -}} +{{- define "kyverno.rbac.labels.admin" -}} {{- template "kyverno.labels.merge" (list (include "kyverno.labels.common" .) (include "kyverno.rbac.matchLabels" .) @@ -8,6 +8,14 @@ ) -}} {{- end -}} +{{- define "kyverno.rbac.labels.view" -}} +{{- template "kyverno.labels.merge" (list + (include "kyverno.labels.common" .) + (include "kyverno.rbac.matchLabels" .) + "rbac.authorization.k8s.io/aggregate-to-view: 'true'" +) -}} +{{- end -}} + {{- define "kyverno.rbac.matchLabels" -}} {{- template "kyverno.labels.merge" (list (include "kyverno.matchLabels.common" .) @@ -16,5 +24,5 @@ {{- end -}} {{- define "kyverno.rbac.roleName" -}} -{{ .Release.Name }}:admin +{{ .Release.Name }}:rbac {{- end -}} diff --git a/charts/kyverno/templates/rbac/policies.yaml b/charts/kyverno/templates/rbac/policies.yaml index 7ff63c66d1..1cc9dcc55e 100644 --- a/charts/kyverno/templates/rbac/policies.yaml +++ b/charts/kyverno/templates/rbac/policies.yaml @@ -2,9 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "kyverno.rbac.roleName" . }}:policies + name: {{ template "kyverno.rbac.roleName" . }}:admin:policies labels: - {{- include "kyverno.rbac.labels" . | nindent 4 }} + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} rules: - apiGroups: - kyverno.io @@ -21,4 +21,23 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:policies + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - kyverno.io + resources: + - cleanuppolicies + - clustercleanuppolicies + - policies + - clusterpolicies + verbs: + - get + - list + - watch {{- end -}} diff --git a/charts/kyverno/templates/rbac/policyreports.yaml b/charts/kyverno/templates/rbac/policyreports.yaml index 525b6de0c5..dc75baf359 100644 --- a/charts/kyverno/templates/rbac/policyreports.yaml +++ b/charts/kyverno/templates/rbac/policyreports.yaml @@ -2,9 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "kyverno.rbac.roleName" . }}:policyreports + name: {{ template "kyverno.rbac.roleName" . }}:admin:policyreports labels: - {{- include "kyverno.rbac.labels" . | nindent 4 }} + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} rules: - apiGroups: - wgpolicyk8s.io @@ -19,4 +19,21 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:policyreports + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - wgpolicyk8s.io + resources: + - policyreports + - clusterpolicyreports + verbs: + - get + - list + - watch {{- end -}} diff --git a/charts/kyverno/templates/rbac/reports.yaml b/charts/kyverno/templates/rbac/reports.yaml index 40d839b9d6..a322d00fdf 100644 --- a/charts/kyverno/templates/rbac/reports.yaml +++ b/charts/kyverno/templates/rbac/reports.yaml @@ -2,9 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "kyverno.rbac.roleName" . }}:reports + name: {{ template "kyverno.rbac.roleName" . }}:admin:reports labels: - {{- include "kyverno.rbac.labels" . | nindent 4 }} + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} rules: - apiGroups: - kyverno.io @@ -21,4 +21,23 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:reports + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - kyverno.io + resources: + - admissionreports + - clusteradmissionreports + - backgroundscanreports + - clusterbackgroundscanreports + verbs: + - get + - list + - watch {{- end -}} diff --git a/charts/kyverno/templates/rbac/updaterequests.yaml b/charts/kyverno/templates/rbac/updaterequests.yaml index c8eba00d32..5fa833082b 100644 --- a/charts/kyverno/templates/rbac/updaterequests.yaml +++ b/charts/kyverno/templates/rbac/updaterequests.yaml @@ -2,9 +2,9 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "kyverno.rbac.roleName" . }}:updaterequests + name: {{ template "kyverno.rbac.roleName" . }}:admin:updaterequests labels: - {{- include "kyverno.rbac.labels" . | nindent 4 }} + {{- include "kyverno.rbac.labels.admin" . | nindent 4 }} rules: - apiGroups: - kyverno.io @@ -18,4 +18,20 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kyverno.rbac.roleName" . }}:view:updaterequests + labels: + {{- include "kyverno.rbac.labels.view" . | nindent 4 }} +rules: + - apiGroups: + - kyverno.io + resources: + - updaterequests + verbs: + - get + - list + - watch {{- end -}} diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml index 56f0b34aef..d79fa25da0 100644 --- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policies.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin:policies + name: kyverno:rbac:admin:policies labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml index 1b1a692e7a..18e5e3088a 100644 --- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-policyreport.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin:policyreports + name: kyverno:rbac:admin:policyreports labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml index 0c6524e20e..4182aad28c 100644 --- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-reports.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin:reports + name: kyverno:rbac:admin:reports labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: diff --git a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml index 24ff6f5c43..b079083c85 100644 --- a/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml +++ b/test/conformance/kuttl/rbac/aggregate-to-admin/admin-updaterequest.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: kyverno:admin:updaterequests + name: kyverno:rbac:admin:updaterequests labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: