feat(rbac) support cluster-scoped always (#611)

* feat(rbac) support cluster-scoped always When watchNamespaces is non-empty, create a ClusterRole that contains cluster-scoped resources only. Remove endpoints from the cluster resource template. They appear to have been included by mistake. Configure one of the CI values to use watchNamespaces. Remove cluster plugin disable setting when watchNamespaces enabled.
Kong · Jul 25, 2022 · aa8ac50 · aa8ac50
1 parent e9c77a5
commit aa8ac50
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 24 deletions.
diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md
@@ -2,7 +2,10 @@
 
 ## Unreleased
 
-Nothing yet.
+### Improvements
+
+* Added ClusterRole for cluster-scoped resources when using watchNamespaces.
+  [#611](https://github.com/Kong/charts/issues/611)
 
 ## 2.11.0
 

diff --git a/charts/kong/README.md b/charts/kong/README.md
@@ -532,28 +532,18 @@ resource.
 ### Removing cluster-scoped permissions
 
 You can limit the controller's access to allow it to only watch specific
-namespaces for resources. By default, the controller watches all namespaces.
-Limiting access requires several changes to configuration:
+namespaces for namespaced resources. By default, the controller watches all
+namespaces. Limiting access requires several changes to configuration:
 
 - Set `ingressController.watchNamespaces` to a list of namespaces you want to
   watch. The chart will automatically generate roles for each namespace and
   assign them to the controller's service account.
-- Set `ingressController.env.enable_controller_kongclusterplugin=false` and
-  `ingressController.env.enable_controller_ingress_class_networkingv1=false`.
-  These are cluster-scoped resources, and controllers with no ClusterRole
-  cannot access them.
 - Optionally set `ingressContrller.installCRDs=false` if your user role (the
   role you use when running `helm install`, not the controller service
   account's role) does not have access to get CRDs. By default, the chart
   attempts to look up the controller CRDs for [a legacy behavior
   check](#crd-management).
 
-Because there is no namespaced version of IngressClass, controllers without
-cluster-scoped permissions cannot access them. The controller will rely
-entirely on whether the ingress class annotation or `ingressClassName` value
-matches the value set by `--ingress-class` or `CONTROLLER_INGRESS_CLASS` to
-determine which Ingresses it should use.
-
 ### Using a DaemonSet
 
 Setting `deployment.daemonset: true` deploys Kong using a [DaemonSet

diff --git a/charts/kong/ci/test2-values.yaml b/charts/kong/ci/test2-values.yaml
@@ -2,12 +2,15 @@
 # - ingressController deploys with a database
 # - stream listens work
 # - a mixture of controller, Kong, and shared volumes successfully mount
+# - watchNamespaces is set
 ingressController:
   enabled: true
   env:
     anonymous_reports: "false"
   customEnv:
     TZ: "Europe/Berlin"
+  watchNamespaces:
+  - default
 postgresql:
   enabled: true
   auth:

diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl
@@ -369,7 +369,6 @@ The name of the service used for the ingress controller's validation webhook
 {{- end }}
 {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }}
   {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}}
-  {{- $_ := set $autoEnv "CONTROLLER_ENABLE_CONTROLLER_KONGCLUSTERPLUGIN" false -}}
 {{- end }}
 
 {{/*
@@ -1161,13 +1160,6 @@ of a Role or ClusterRole) that provide the ingress controller access to the
 Kubernetes Cluster-scoped resources it uses to build Kong configuration.
 */}}
 {{- define "kong.kubernetesRBACClusterRules" -}}
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  verbs:
-  - list
-  - watch
 - apiGroups:
   - configuration.konghq.com
   resources:

diff --git a/charts/kong/templates/controller-rbac-resources.yaml b/charts/kong/templates/controller-rbac-resources.yaml
@@ -140,6 +140,30 @@ subjects:
   - kind: ServiceAccount
     name: {{ template "kong.serviceAccountName" $ }}
     namespace: {{ template "kong.namespace" $ }}
-{{- end -}}
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    {{- include "kong.metaLabels" . | nindent 4 }}
+  name: {{ template "kong.fullname" . }}
+rules:
+{{ include "kong.kubernetesRBACClusterRules" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "kong.fullname" . }}
+  labels:
+    {{- include "kong.metaLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "kong.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "kong.serviceAccountName" . }}
+    namespace: {{ template "kong.namespace" . }}
 {{- end -}}
 {{- end -}}
diff --git a/charts/kong/values.yaml b/charts/kong/values.yaml
@@ -470,8 +470,8 @@ ingressController:
   # when no namespaces are set, the controller watches all namespaces and uses a
   # ClusterRole to grant access to Kubernetes resources. When you list specific
   # namespaces, the controller will watch those namespaces only and will create
-  # namespaced-scoped Roles for each of them. Note that watching specific namespaces
-  # disables KongClusterPlugin usage, as KongClusterPlugins only exist as cluster resources.
+  # namespaced-scoped Roles for each of them. The controller will still use a
+  # ClusterRole for cluster-scoped resources.
   # Requires controller 2.0.0 or newer.
   watchNamespaces: []