Run with fewer privileges

This commit updates the Helm chart to avoid running as cluster-admin. Instead, the controller runs only with the privileges it needs 'out of the box'; i.e. to manage all core OAM types, as well as deployments and services. The commit also includes a few small chart hygiene fixes; i.e. ensuring that names will not collide when multiple releases exist in the same cluster, and that all resources include the standard labels. Signed-off-by: Nic Cope <negz@rk0n.org>
crossplane · Oct 6, 2020 · cb5b699 · cb5b699
1 parent 35e41b0
commit cb5b699
Showing 1 changed file with 49 additions and 8 deletions.
diff --git a/charts/oam-kubernetes-runtime/templates/oam-controller.yaml b/charts/oam-kubernetes-runtime/templates/oam-controller.yaml
@@ -4,19 +4,58 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }}
-  labels:
-  {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
-  {{- end }}
+  labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
+{{- end }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "oam-kubernetes-runtime.fullname" . }}
+  labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
+aggregationRule:
+  clusterRoleSelectors:
+  - matchLabels:
+      rbac.oam.dev/aggregate-to-controller: "true"
+
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "oam-kubernetes-runtime.fullname" . }}:system:aggregate-to-controller
+  labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
+  labels:
+    rbac.oam.dev/aggregate-to-controller: "true"
+rules:
+- apiGroups:
+  - core.oam.dev
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - apps
+  resources:
+  - deployment
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - service
+  verbs:
+  - "*"
 
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: manager-rolebinding
+  name: {{ include "oam-kubernetes-runtime.fullname" . }}
+  labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: "cluster-admin"
+  name: {{ include "oam-kubernetes-runtime.fullname" . }}
 subjects:
   - kind: ServiceAccount
     name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }}
@@ -27,7 +66,8 @@ subjects:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: leader-election-role
+  name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election
+  labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
 rules:
   - apiGroups:
       - ""
@@ -60,11 +100,12 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: leader-election-rolebinding
+  name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election
+  labels: {{ include "oam-kubernetes-runtime.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: leader-election-role
+  name: {{ include "oam-kubernetes-runtime.fullname" . }}-leader-election
 subjects:
   - kind: ServiceAccount
     name: {{ include "oam-kubernetes-runtime.serviceAccountName" . }}