From 26c90f4c009fbd667d8483257a8904a51c67f298 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafael=20Fern=C3=A1ndez=20L=C3=B3pez?= Date: Sat, 10 Apr 2021 00:33:49 +0200 Subject: [PATCH] Add context awareness RBAC permissions The `policy-server` requires to list well known resources, so context-aware policies can take decisions based on this information. While this permissions, and what resources can be listed and watched will be customizable in the future, right now is a fixed set of resources: - Namespaces - Services - Ingresses This list is customizable by overriding the helm chart `values.yaml`. --- charts/kubewarden-controller/Chart.yaml | 4 +-- .../templates/deployment.yaml | 1 + .../templates/policy-server-rbac.yaml | 32 +++++++++++++++++++ charts/kubewarden-controller/values.yaml | 12 ++++++- 4 files changed, 46 insertions(+), 3 deletions(-) create mode 100644 charts/kubewarden-controller/templates/policy-server-rbac.yaml diff --git a/charts/kubewarden-controller/Chart.yaml b/charts/kubewarden-controller/Chart.yaml index 9b987c87..ad5a510e 100644 --- a/charts/kubewarden-controller/Chart.yaml +++ b/charts/kubewarden-controller/Chart.yaml @@ -7,7 +7,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.6 +version: 0.1.7 # This is the version of kubewarden-controller container image to be used -appVersion: "v0.1.0" +appVersion: "v0.1.3" diff --git a/charts/kubewarden-controller/templates/deployment.yaml b/charts/kubewarden-controller/templates/deployment.yaml index 336a0e59..f45ff0b9 100644 --- a/charts/kubewarden-controller/templates/deployment.yaml +++ b/charts/kubewarden-controller/templates/deployment.yaml @@ -39,6 +39,7 @@ spec: - --metrics-addr=127.0.0.1:8080 - --enable-leader-election - --deployments-namespace={{ .Release.Namespace }} + - --deployments-service-account-name={{ .Values.policyServer.serviceAccountName }} command: - /manager image: '{{ .Values.image.repository | default "ghcr.io/kubewarden/kubewarden-controller" }}:{{ .Values.image.tag | default .Chart.AppVersion }}' diff --git a/charts/kubewarden-controller/templates/policy-server-rbac.yaml b/charts/kubewarden-controller/templates/policy-server-rbac.yaml new file mode 100644 index 00000000..79d6fe52 --- /dev/null +++ b/charts/kubewarden-controller/templates/policy-server-rbac.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.policyServer.serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kubewarden-context-watcher +rules: +{{- range .Values.policyServer.permissions }} +- apiGroups: + - {{ .apiGroup | quote }} + resources: {{ .resources | toJson }} + verbs: + - list + - watch +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubewarden-context-watcher +subjects: +- kind: ServiceAccount + name: {{ .Values.policyServer.serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: kubewarden-context-watcher + apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubewarden-controller/values.yaml b/charts/kubewarden-controller/values.yaml index 617677fe..7c48facb 100644 --- a/charts/kubewarden-controller/values.yaml +++ b/charts/kubewarden-controller/values.yaml @@ -15,10 +15,20 @@ nodeSelector: {} tolerations: [] affinity: {} - # Policy Server settings policyServer: replicaCount: 1 image: repository: ghcr.io/kubewarden/policy-server tag: "v0.1.2" + serviceAccountName: policy-server +# All permissions are cluster-wide. Even namespaced resources are +# granted access in all namespaces at this time. + permissions: + - apiGroup: "" + resources: + - namespaces + - services + - apiGroup: "networking.k8s.io" + resources: + - ingresses