Skip to content

Commit

Permalink
feat: multi namespace RBAC manifests
Browse files Browse the repository at this point in the history
  • Loading branch information
@jnoordsij
jnoordsij authored Jul 31, 2023
1 parent 518a392 commit 43e535c
Show file tree
Hide file tree
Showing 4 changed files with 172 additions and 16 deletions.
4 changes: 2 additions & 2 deletions traefik/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,10 +108,10 @@ Users can provide an override for an explicit service they want bound via `.Valu
Construct a comma-separated list of whitelisted namespaces
*/}}
{{- define "providers.kubernetesIngress.namespaces" -}}
{{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }}
{{- end -}}
{{- define "providers.kubernetesCRD.namespaces" -}}
{{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }}
{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }}
{{- end -}}

{{/*
Expand Down
23 changes: 15 additions & 8 deletions traefik/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,17 @@
{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}}

{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
{{- range $allNamespaces }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
name: {{ template "traefik.fullname" $ }}
namespace: {{ . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- include "traefik.labels" $ | nindent 4 }}
rules:
- apiGroups:
- ""
Expand All @@ -17,7 +23,7 @@ rules:
- get
- list
- watch
{{- if .Values.providers.kubernetesIngress.enabled }}
{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }}
- apiGroups:
- extensions
- networking.k8s.io
Expand All @@ -35,7 +41,7 @@ rules:
verbs:
- update
{{- end -}}
{{- if .Values.providers.kubernetesCRD.enabled }}
{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }}
- apiGroups:
- traefik.io
{{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }}
Expand All @@ -59,14 +65,15 @@ rules:
- list
- watch
{{- end -}}
{{- if .Values.podSecurityPolicy.enabled }}
{{- if $.Values.podSecurityPolicy.enabled }}
- apiGroups:
- extensions
resourceNames:
- {{ template "traefik.fullname" . }}
- {{ template "traefik.fullname" $ }}
resources:
- podsecuritypolicies
verbs:
- use
{{- end -}}
{{- end -}}
{{- end -}}
19 changes: 13 additions & 6 deletions traefik/templates/rbac/rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,17 +1,24 @@
{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}}

{{- if and .Values.rbac.enabled .Values.rbac.namespaced }}
{{- range $allNamespaces }}
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "traefik.fullname" . }}
namespace: {{ template "traefik.namespace" . }}
name: {{ template "traefik.fullname" $ }}
namespace: {{ . }}
labels:
{{- include "traefik.labels" . | nindent 4 }}
{{- include "traefik.labels" $ | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "traefik.fullname" . }}
name: {{ template "traefik.fullname" $ }}
subjects:
- kind: ServiceAccount
name: {{ include "traefik.serviceAccountName" . }}
namespace: {{ template "traefik.namespace" . }}
name: {{ include "traefik.serviceAccountName" $ }}
namespace: {{ template "traefik.namespace" $ }}
{{- end -}}
{{- end -}}
142 changes: 142 additions & 0 deletions traefik/tests/rbac-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,148 @@ tests:
path: metadata.namespace
value: NAMESPACE
template: rbac/serviceaccount.yaml
- it: should use multiple namespaces if provided to kubernetesCRD
set:
providers:
kubernetesCRD:
namespaces:
- default
- foo
rbac:
namespaced: true
asserts:
- hasDocuments:
count: 3
template: rbac/role.yaml
- hasDocuments:
count: 3
template: rbac/rolebinding.yaml
- equal:
path: metadata.namespace
value: NAMESPACE
template: rbac/role.yaml
documentIndex: 0
- equal:
path: metadata.namespace
value: default
template: rbac/role.yaml
documentIndex: 1
- equal:
path: metadata.namespace
value: foo
template: rbac/role.yaml
documentIndex: 2
- equal:
path: metadata.namespace
value: NAMESPACE
template: rbac/rolebinding.yaml
documentIndex: 0
- equal:
path: metadata.namespace
value: default
template: rbac/rolebinding.yaml
documentIndex: 1
- equal:
path: metadata.namespace
value: foo
template: rbac/rolebinding.yaml
documentIndex: 2
- it: should use multiple namespaces if provided to kubernetesIngress
set:
providers:
kubernetesIngress:
namespaces:
- default
- bar
rbac:
namespaced: true
asserts:
- hasDocuments:
count: 3
template: rbac/role.yaml
- hasDocuments:
count: 3
template: rbac/rolebinding.yaml
- equal:
path: metadata.namespace
value: default
template: rbac/role.yaml
documentIndex: 0
- equal:
path: metadata.namespace
value: bar
template: rbac/role.yaml
documentIndex: 1
- equal:
path: metadata.namespace
value: NAMESPACE
template: rbac/role.yaml
documentIndex: 2
- equal:
path: metadata.namespace
value: default
template: rbac/rolebinding.yaml
documentIndex: 0
- equal:
path: metadata.namespace
value: bar
template: rbac/rolebinding.yaml
documentIndex: 1
- equal:
path: metadata.namespace
value: NAMESPACE
template: rbac/rolebinding.yaml
documentIndex: 2
- it: should use multiple namespaces if provided to both providers
set:
providers:
kubernetesCRD:
namespaces:
- default
- foo
kubernetesIngress:
namespaces:
- default
- bar
rbac:
namespaced: true
asserts:
- hasDocuments:
count: 3
template: rbac/role.yaml
- hasDocuments:
count: 3
template: rbac/rolebinding.yaml
- equal:
path: metadata.namespace
value: default
template: rbac/role.yaml
documentIndex: 0
- equal:
path: metadata.namespace
value: bar
template: rbac/role.yaml
documentIndex: 1
- equal:
path: metadata.namespace
value: foo
template: rbac/role.yaml
documentIndex: 2
- equal:
path: metadata.namespace
value: default
template: rbac/rolebinding.yaml
documentIndex: 0
- equal:
path: metadata.namespace
value: bar
template: rbac/rolebinding.yaml
documentIndex: 1
- equal:
path: metadata.namespace
value: foo
template: rbac/rolebinding.yaml
documentIndex: 2
- it: should accept overridden namespace
set:
namespaceOverride: "traefik-ns-override"
Expand Down

0 comments on commit 43e535c

Please sign in to comment.