Add RBAC to helm chart (#1373)

This PR fixes #1367 with the minimum needed (plus the basics of annotations and labels, since some clusters need those for extra verifications, OPA, Kyverno, etc.). The added role is the minimum access I could get away with (tested each verb and resource individually), since the Kubernetes go library seems to use list and get even when not strictly necessary. I've defaulted to inactive, setting the serviceAccount.rbac.create=true will create the Role and roleBinding. The changes only affect the woodpecker-agent chart, as the woodpecker-server chart currently does nothing directly # Tests - [x] non default namespace (roleBindung uses namespace in a not automatically rewritten position) - [x] rbac.create enabled and disabled (nothing changes for disabled, since the templates use a guard) - [x] custom serviceAccount name - [x] both roleBinding and role with no annotations, no lables, single a&l, multiple each - [x] helm deploy to Kubernetes, with all settings mentioned above # Documentation Added in the comments of the values.yaml. Taking it into the docs might be helpful, but the Kubernetes section in the next docs is fairly empty, possibly open a new issue and solve when the chart for next is mostly done.
2025-02-17 03:45:13 +00:00 · 2022-10-30 22:47:58 +01:00 · 2022-10-30 22:47:58 +01:00 · e61f97f8ac
commit e61f97f8ac
parent 280d27d723
3 changed files with 65 additions and 1 deletions
--- a/charts/woodpecker-agent/templates/role.yaml
+++ b/charts/woodpecker-agent/templates/role.yaml
@ -0,0 +1,27 @@
+{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.rbac.create) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "woodpecker-agent.serviceAccountName" . }}
+  labels:
+    {{- include "woodpecker-agent.labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.rbac.role.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.serviceAccount.rbac.role.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: [''] # '' indicates core apiGroup (don't remove)
+    resources: ['persistentvolumeclaims']
+    verbs: ['create','delete']
+  - apiGroups: ['']
+    resources: ['services']
+    verbs: ['create','delete']
+  - apiGroups: ['']
+    resources:
+      - pods
+      - pods/log
+    verbs: ['watch','create','delete','get','list']
+{{- end }}
--- a/charts/woodpecker-agent/templates/rolebinding.yaml
+++ b/charts/woodpecker-agent/templates/rolebinding.yaml
@ -0,0 +1,23 @@
+{{- if and (.Values.serviceAccount.create) (.Values.serviceAccount.rbac.create) -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "woodpecker-agent.serviceAccountName" . }}
+  labels:
+    {{- include "woodpecker-agent.labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.rbac.roleBinding.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.serviceAccount.rbac.roleBinding.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "woodpecker-agent.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "woodpecker-agent.serviceAccountName" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
--- a/charts/woodpecker-agent/values.yaml
+++ b/charts/woodpecker-agent/values.yaml
@ -31,13 +31,27 @@ nameOverride: ""
 fullnameOverride: ""

 serviceAccount:
-  # Specifies whether a service account should be created
+  # Specifies whether a service account should be created (also see RBAC subsection)
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
+  rbac:
+    # If your cluster has RBAC enabled and you're using the Kubernetes agent-
+    # backend you'll need this. (this is true for almost all production clusters)
+    # only change this if you have a non CNCF compliant cluster, missing the RBAC endpoints
+    # the Role and RoleBinding are only created if serviceAccount.create is also true
+    create: true
+    # additional annotations and labels in role and roleBinding are only needed, if you
+    # are using additional tooling to manage / verify roles or roleBindings (OPA, etc.)
+    role:
+      annotations: {}
+      labels: {}
+    roleBinding:
+      annotations: {}
+      labels: {}

 podAnnotations: {}