From afe496d27238d609c04598fc801350d084ecb258 Mon Sep 17 00:00:00 2001 From: Pieter Callewaert Date: Tue, 29 Apr 2025 14:01:27 +0200 Subject: [PATCH 1/2] Update RBAC policies for helm chart --- .../templates/clusterrole.yaml | 33 +++++++++++ .../templates/clusterrole_binding.yaml | 14 +++++ .../ext-postgres-operator/templates/role.yaml | 58 +++++++------------ .../templates/role_binding.yaml | 6 +- 4 files changed, 72 insertions(+), 39 deletions(-) create mode 100644 charts/ext-postgres-operator/templates/clusterrole.yaml create mode 100644 charts/ext-postgres-operator/templates/clusterrole_binding.yaml diff --git a/charts/ext-postgres-operator/templates/clusterrole.yaml b/charts/ext-postgres-operator/templates/clusterrole.yaml new file mode 100644 index 000000000..a37699feb --- /dev/null +++ b/charts/ext-postgres-operator/templates/clusterrole.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "chart.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - "*" + - apiGroups: + - apps + resourceNames: + - ext-postgres-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - db.movetokube.com + resources: + - "*" + verbs: + - "*" + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - "*" diff --git a/charts/ext-postgres-operator/templates/clusterrole_binding.yaml b/charts/ext-postgres-operator/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..5197950f8 --- /dev/null +++ b/charts/ext-postgres-operator/templates/clusterrole_binding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "chart.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "chart.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "chart.fullname" . }} + apiGroup: rbac.authorization.k8s.io diff --git a/charts/ext-postgres-operator/templates/role.yaml b/charts/ext-postgres-operator/templates/role.yaml index 684dea03c..ad37ae5cf 100644 --- a/charts/ext-postgres-operator/templates/role.yaml +++ b/charts/ext-postgres-operator/templates/role.yaml @@ -1,42 +1,28 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: {{ include "chart.fullname" . }} labels: {{- include "chart.labels" . | nindent 4 }} rules: -- apiGroups: - - "" - resources: - - pods - - services - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - ext-postgres-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - db.movetokube.com - resources: - - '*' - verbs: - - '*' + - apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - "*" + - apiGroups: + - "" + resources: + - pods + verbs: + - "get" + - apiGroups: + - "apps" + resources: + - replicasets + - deployments + verbs: + - "get" diff --git a/charts/ext-postgres-operator/templates/role_binding.yaml b/charts/ext-postgres-operator/templates/role_binding.yaml index 7066cd0ba..5259dea34 100644 --- a/charts/ext-postgres-operator/templates/role_binding.yaml +++ b/charts/ext-postgres-operator/templates/role_binding.yaml @@ -1,4 +1,4 @@ -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: {{ include "chart.fullname" . }} @@ -9,6 +9,6 @@ subjects: name: {{ include "chart.serviceAccountName" . }} namespace: {{ .Release.Namespace }} roleRef: - kind: ClusterRole - name: {{ include "chart.serviceAccountName" . }} + kind: Role + name: {{ include "chart.fullname" . }} apiGroup: rbac.authorization.k8s.io From 300584699792bec46f84114a8e6c0899548c5d5f Mon Sep 17 00:00:00 2001 From: Pieter Callewaert Date: Thu, 8 May 2025 13:15:23 +0200 Subject: [PATCH 2/2] Include kustomization changes (#102) --- deploy/cluster_role.yaml | 31 +++++++++++++++++ deploy/cluster_role_binding.yaml | 11 ++++++ deploy/kustomization.yaml | 14 ++++---- deploy/role.yaml | 58 ++++++++++++-------------------- deploy/role_binding.yaml | 8 ++--- 5 files changed, 76 insertions(+), 46 deletions(-) create mode 100644 deploy/cluster_role.yaml create mode 100644 deploy/cluster_role_binding.yaml diff --git a/deploy/cluster_role.yaml b/deploy/cluster_role.yaml new file mode 100644 index 000000000..37104b321 --- /dev/null +++ b/deploy/cluster_role.yaml @@ -0,0 +1,31 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ext-postgres-operator +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - "*" + - apiGroups: + - apps + resourceNames: + - ext-postgres-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - db.movetokube.com + resources: + - "*" + verbs: + - "*" + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - "*" diff --git a/deploy/cluster_role_binding.yaml b/deploy/cluster_role_binding.yaml new file mode 100644 index 000000000..0d8069181 --- /dev/null +++ b/deploy/cluster_role_binding.yaml @@ -0,0 +1,11 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: ext-postgres-operator +subjects: + - kind: ServiceAccount + name: ext-postgres-operator +roleRef: + kind: ClusterRole + name: ext-postgres-operator + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kustomization.yaml b/deploy/kustomization.yaml index 50eebf9cc..72753570d 100644 --- a/deploy/kustomization.yaml +++ b/deploy/kustomization.yaml @@ -4,9 +4,11 @@ kind: Kustomization namespace: operators resources: -- crds/db.movetokube.com_postgres_crd.yaml -- crds/db.movetokube.com_postgresusers_crd.yaml -- operator.yaml -- role.yaml -- role_binding.yaml -- service_account.yaml + - crds/db.movetokube.com_postgres_crd.yaml + - crds/db.movetokube.com_postgresusers_crd.yaml + - operator.yaml + - cluster_role.yaml + - cluster_role_binding.yaml + - role.yaml + - role_binding.yaml + - service_account.yaml diff --git a/deploy/role.yaml b/deploy/role.yaml index fe890467a..f803d4b21 100644 --- a/deploy/role.yaml +++ b/deploy/role.yaml @@ -1,40 +1,26 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: ext-postgres-operator rules: -- apiGroups: - - "" - resources: - - pods - - services - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - verbs: - - '*' -- apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - '*' -- apiGroups: - - apps - resourceNames: - - ext-postgres-operator - resources: - - deployments/finalizers - verbs: - - update -- apiGroups: - - db.movetokube.com - resources: - - '*' - verbs: - - '*' + - apiGroups: + - "" + resources: + - configmaps + - secrets + - services + verbs: + - "*" + - apiGroups: + - "" + resources: + - pods + verbs: + - "get" + - apiGroups: + - "apps" + resources: + - replicasets + - deployments + verbs: + - "get" diff --git a/deploy/role_binding.yaml b/deploy/role_binding.yaml index bd95e040a..7c3bee492 100644 --- a/deploy/role_binding.yaml +++ b/deploy/role_binding.yaml @@ -1,11 +1,11 @@ -kind: ClusterRoleBinding +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: ext-postgres-operator subjects: -- kind: ServiceAccount - name: ext-postgres-operator + - kind: ServiceAccount + name: ext-postgres-operator roleRef: - kind: ClusterRole + kind: Role name: ext-postgres-operator apiGroup: rbac.authorization.k8s.io