feat: add cleanup controller BYOSA and RBAC extensions (#5580)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-04-08 10:04:25 +00:00 · 2022-12-05 18:37:44 +01:00 · 2022-12-05 18:37:44 +01:00 · aef13773fd
commit aef13773fd
parent e68be2c786
11 changed files with 74 additions and 33 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -214,6 +214,9 @@ The command removes all the Kubernetes components associated with the chart and
 | grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
 | grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
 | grafana.annotations | object | `{}` | Grafana dashboard configmap annotations. |
+| cleanupController.rbac.create | bool | `true` | Create RBAC resources |
+| cleanupController.rbac.serviceAccount.name | string | `nil` | Service account name |
+| cleanupController.rbac.clusterRole.extraResources | list | `[]` | Extra resource permissions to add in the cluster role |
 | cleanupController.enabled | bool | `true` | Enable cleanup controller. |
 | cleanupController.image.registry | string | `nil` | Image registry |
 | cleanupController.image.repository | string | `"ghcr.io/kyverno/cleanup-controller"` | Image repository |
--- a/charts/kyverno/templates/cleanup-controller/_helpers.tpl
+++ b/charts/kyverno/templates/cleanup-controller/_helpers.tpl
@ -26,4 +26,13 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- else -}}
  {{ required "An image repository is required" .image.repository }}:{{ default .defaultTag .image.tag }}
 {{- end -}}
-{{- end }}
+{{- end -}}
+
+{{/* Create the name of the service account to use */}}
+{{- define "kyverno.cleanup-controller.serviceAccountName" -}}
+{{- if .Values.cleanupController.rbac.create -}}
+    {{ default (include "kyverno.cleanup-controller.deploymentName" .) .Values.cleanupController.rbac.serviceAccount.name }}
+{{- else -}}
+    {{ required "A service account name is required when `rbac.create` is set to `false`" .Values.cleanupController.rbac.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
+++ b/charts/kyverno/templates/cleanup-controller/clusterrole.yaml
@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@ -6,31 +7,41 @@ metadata:
  labels:
    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
 rules:
- apiGroups:
-    - kyverno.io
-  resources:
-    - clustercleanuppolicies
-    - cleanuppolicies
-    - clustercleanuppolicies/*
-    - cleanuppolicies/*
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
-    - deletecollection
- apiGroups:
-    - batch
-  resources:
-    - cronjobs
-  verbs:
-    - create
-    - delete
-    - get
-    - list
-    - update
-    - watch
+  - apiGroups:
+      - kyverno.io
+    resources:
+      - clustercleanuppolicies
+      - cleanuppolicies
+      - clustercleanuppolicies/*
+      - cleanuppolicies/*
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - patch
+      - update
+      - watch
+      - deletecollection
+  - apiGroups:
+      - batch
+    resources:
+      - cronjobs
+    verbs:
+      - create
+      - delete
+      - get
+      - list
+      - update
+      - watch
+  {{- with .Values.cleanupController.rbac.clusterRole.extraResources }}
+  - apiGroups:
+      {{- toYaml .apiGroups | nindent 6 }}
+    resources:
+      {{- toYaml .resources | nindent 6 }}
+    verbs:
+      - delete
+      - list
+  {{- end }}
+{{- end }}
 {{- end }}
--- a/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml
+++ b/charts/kyverno/templates/cleanup-controller/clusterrolebinding.yaml
@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.rbac.create -}}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@ -11,6 +12,7 @@ roleRef:
  name: {{ template "kyverno.cleanup-controller.deploymentName" . }}
 subjects:
 - kind: ServiceAccount
-  name: {{ template "kyverno.cleanup-controller.deploymentName" . }}
+  name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
  namespace: {{ template "kyverno.namespace" . }}
 {{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup-controller/deployment.yaml
+++ b/charts/kyverno/templates/cleanup-controller/deployment.yaml
@ -28,7 +28,7 @@ spec:
      topologySpreadConstraints:
        {{- tpl (toYaml .) $ | nindent 8 }}
      {{- end }}
-      serviceAccountName: {{ template "kyverno.cleanup-controller.deploymentName" . }}
+      serviceAccountName: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
      containers:
        - name: controller
          image: {{ include "kyverno.cleanup-controller.image" (dict "image" .Values.cleanupController.image "defaultTag" .Chart.AppVersion) | quote }}
--- a/charts/kyverno/templates/cleanup-controller/role.yaml
+++ b/charts/kyverno/templates/cleanup-controller/role.yaml
@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.rbac.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
@ -16,3 +17,4 @@ rules:
    - list
    - watch
 {{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
+++ b/charts/kyverno/templates/cleanup-controller/rolebinding.yaml
@ -1,4 +1,5 @@
 {{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.rbac.create -}}
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@ -15,3 +16,4 @@ subjects:
  name: {{ template "kyverno.cleanup-controller.deploymentName" . }}
  namespace: {{ template "kyverno.namespace" . }}
 {{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
+++ b/charts/kyverno/templates/cleanup-controller/serviceaccount.yaml
@ -1,9 +1,11 @@
 {{- if .Values.cleanupController.enabled -}}
+{{- if .Values.cleanupController.rbac.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "kyverno.cleanup-controller.deploymentName" . }}
+  name: {{ template "kyverno.cleanup-controller.serviceAccountName" . }}
  labels:
    {{- include "kyverno.cleanup-controller.labels" . | nindent 4 }}
  namespace: {{ template "kyverno.namespace" . }}
 {{- end -}}
+{{- end -}}
--- a/charts/kyverno/templates/role.yaml
+++ b/charts/kyverno/templates/role.yaml
@ -28,5 +28,4 @@ rules:
    - patch
    - update
    - watch
-
 {{- end }}
--- a/charts/kyverno/templates/rolebinding.yaml
+++ b/charts/kyverno/templates/rolebinding.yaml
@ -14,5 +14,4 @@ subjects:
 - kind: ServiceAccount
  name: {{ template "kyverno.serviceAccountName" . }}
  namespace: {{ template "kyverno.namespace" . }}
-
 {{- end }}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -477,6 +477,18 @@ grafana:
  annotations: {}

 cleanupController:
+  rbac:
+    # -- Create RBAC resources
+    create: true
+
+    serviceAccount:
+      # -- Service account name
+      name:
+
+    clusterRole:
+      # -- Extra resource permissions to add in the cluster role
+      extraResources: []
+
  # -- Enable cleanup controller.
  enabled: true