From a7d2d3f192f203abdd67fdd93e79d8bcafda9e0f Mon Sep 17 00:00:00 2001 From: John Mazzitelli Date: Tue, 23 Jul 2024 14:32:30 -0400 Subject: [PATCH] Removing accessible namespaces as part of the new discovery selector support. part of: kiali/kiali#7546 part of KEP: https://github.com/kiali/kiali/blob/master/design/KEPS/namespace-discovery/proposal.md --- README.adoc | 2 +- kiali-operator/templates/clusterrole.yaml | 2 +- kiali-operator/templates/deployment.yaml | 4 +--- kiali-operator/values.yaml | 26 ++++++----------------- kiali-server/values.yaml | 7 +++--- 5 files changed, 13 insertions(+), 28 deletions(-) diff --git a/README.adoc b/README.adoc index 7584d81..fd4346b 100644 --- a/README.adoc +++ b/README.adoc @@ -65,7 +65,7 @@ helm uninstall -n kiali-operator kiali-operator ==== Overriding values -You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "deployment.accessible_namespaces={bookinfo,demo2}"`. You can set individual list items using square brackets: `--set deployment.accessible_namespaces[0]=bookinfo`. +You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "kubernetes_config.excluded_workloads={CronJob,Job}"`. You can set individual list items using square brackets: `--set kubernetes_config.excluded_workloads[0]=CronJob`. If you locally built and pushed your Kiali server and Kiali operator images to your cluster, you can have the helm chart installations pull those images by the following settings: diff --git a/kiali-operator/templates/clusterrole.yaml b/kiali-operator/templates/clusterrole.yaml index 961b56b..23bfb28 100644 --- a/kiali-operator/templates/clusterrole.yaml +++ b/kiali-operator/templates/clusterrole.yaml @@ -113,7 +113,7 @@ rules: - list - apiGroups: ["rbac.authorization.k8s.io"] resources: - {{- if or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.clusterRoleCreator) }} + {{- if or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.clusterRoleCreator) }} - clusterrolebindings - clusterroles {{- end }} diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml index ced80b4..a46074e 100644 --- a/kiali-operator/templates/deployment.yaml +++ b/kiali-operator/templates/deployment.yaml @@ -87,9 +87,7 @@ spec: - name: ALLOW_SECURITY_CONTEXT_OVERRIDE value: {{ .Values.allowSecurityContextOverride | quote }} - name: ALLOW_ALL_ACCESSIBLE_NAMESPACES - value: {{ or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.allowAllAccessibleNamespaces) | quote }} - - name: ACCESSIBLE_NAMESPACES_LABEL - value: {{ .Values.accessibleNamespacesLabel | quote }} + value: {{ or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.allowAllAccessibleNamespaces) | quote }} - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT value: "100" - name: ANSIBLE_DEBUG_LOGS diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml index 0ece40f..aefc617 100644 --- a/kiali-operator/values.yaml +++ b/kiali-operator/values.yaml @@ -39,9 +39,9 @@ debug: watchNamespace: "" # Set to true if you want the operator to be able to create cluster roles. This is necessary -# if you want to support Kiali CRs with spec.deployment.accessible_namespaces of '**'. +# if you want to support Kiali CRs with spec.deployment.cluster_wide_access=true. # Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also. -# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**']. +# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true. clusterRoleCreator: true # Set to a list of secrets in the cluster that the operator will be allowed to read. This is necessary if you want to @@ -83,22 +83,12 @@ allowAdHocOSSMConsoleImage: false allowSecurityContextOverride: false # allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali -# to access all namespaces in the cluster via spec.deployment.accessible_namespaces=['**']. -# If this is false, the user must specify an explicit list of namespaces in the Kiali CR. +# to access all namespaces in the cluster via spec.deployment.cluster_wide_access=true. +# If this is false, the user must specify an explicit set of namespaces in the Kiali CR via spec.deployment.discovery_selectors. # Setting this to "true" requires clusterRoleCreator to be "true" also. -# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**']. +# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true. allowAllAccessibleNamespaces: true -# accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces. -# This value is either an empty string (which disables this feature) or a label name with an optional label value -# (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in -# spec.deployment.accessible_namespaces. Any namespace not labeled properly but specified in accessible_namespaces will cause -# the operator to abort the Kiali installation. -# If just a label name (but no label value) is specified, the label value the operator will look for is the value of -# the Kiali CR's spec.istio_namespace. In other words, the operator will look for the named label whose value must be the name -# of the Istio control plane namespace (which is typically, but not necessarily, "istio-system"). -accessibleNamespacesLabel: "" - # watchesFile: If specified, this determines what watches file will be used to configure the operator. There are four different # files that can be selected: (a) `watches-os.yaml`, (b) `watches-os-ns.yaml`, (c) `watches-k8s.yaml` or (d) `watches-k8s-ns.yaml`. # The first two are for OpenShift only, the last two are for non-OpenShift Kubernetes clusters. The two with "-ns" in their name @@ -107,8 +97,7 @@ accessibleNamespacesLabel: "" # the default behavior and is not necessary if your Kiali CRs will have `spec.deployment.cluster_wide_access` set to `true`. watchesFile: "" -# For what a Kiali CR spec can look like, see: -# https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml +# For what a Kiali CR spec can look like, see: https://kiali.io/docs/configuration/kialis.kiali.io/ cr: create: false name: kiali @@ -122,5 +111,4 @@ cr: spec: deployment: - accessible_namespaces: - - '**' + cluster_wide_access: true \ No newline at end of file diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml index a3d0bdd..82b09a8 100644 --- a/kiali-server/values.yaml +++ b/kiali-server/values.yaml @@ -37,15 +37,14 @@ clustering: clusters: [] deployment: - # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything. - # For more control over what the Kial Service Account can see, use the Kiali Operator - accessible_namespaces: - - "**" additional_service_yaml: {} affinity: node: {} pod: {} pod_anti: {} + # This server helm chart sets up a Service Account that allows Kiali to see all namespaces in the cluster. + # For more control over what the Kial Service Account can see, use the Kiali Operator. + cluster_wide_access: true configmap_annotations: {} custom_secrets: [] dns: