From 72672ce2c27ee2a43eb5fdd40f2ce94114f7191a Mon Sep 17 00:00:00 2001 From: Jesper Noordsij Date: Thu, 27 Jul 2023 17:32:35 +0200 Subject: [PATCH 1/4] Use traefik.namespace instead of .Release.Namespace in provider namespace helpers --- traefik/templates/_helpers.tpl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/traefik/templates/_helpers.tpl b/traefik/templates/_helpers.tpl index 3b0d12ee0..a6c8b9fa4 100644 --- a/traefik/templates/_helpers.tpl +++ b/traefik/templates/_helpers.tpl @@ -108,10 +108,10 @@ Users can provide an override for an explicit service they want bound via `.Valu Construct a comma-separated list of whitelisted namespaces */}} {{- define "providers.kubernetesIngress.namespaces" -}} -{{- default .Release.Namespace (join "," .Values.providers.kubernetesIngress.namespaces) }} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesIngress.namespaces) }} {{- end -}} {{- define "providers.kubernetesCRD.namespaces" -}} -{{- default .Release.Namespace (join "," .Values.providers.kubernetesCRD.namespaces) }} +{{- default (include "traefik.namespace" .) (join "," .Values.providers.kubernetesCRD.namespaces) }} {{- end -}} {{/* From b9abeb6bae271e0575a71ea7383d720fe668de96 Mon Sep 17 00:00:00 2001 From: Jesper Noordsij Date: Thu, 27 Jul 2023 17:33:39 +0200 Subject: [PATCH 2/4] Automatically create roles/rolebindings for all namespaces --- traefik/templates/rbac/role.yaml | 23 +++++++++++++++-------- traefik/templates/rbac/rolebinding.yaml | 19 +++++++++++++------ 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml index 5be815953..be0f90f71 100644 --- a/traefik/templates/rbac/role.yaml +++ b/traefik/templates/rbac/role.yaml @@ -1,11 +1,17 @@ -{{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}} + +{{- if and .Values.rbac.enabled .Values.rbac.namespaced -}} +{{- range $allNamespaces }} +--- kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "traefik.fullname" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} labels: - {{- include "traefik.labels" . | nindent 4 }} + {{- include "traefik.labels" $ | nindent 4 }} rules: - apiGroups: - "" @@ -17,7 +23,7 @@ rules: - get - list - watch -{{- if .Values.providers.kubernetesIngress.enabled }} +{{- if (and (has . $ingressNamespaces) $.Values.providers.kubernetesIngress.enabled) }} - apiGroups: - extensions - networking.k8s.io @@ -35,7 +41,7 @@ rules: verbs: - update {{- end -}} -{{- if .Values.providers.kubernetesCRD.enabled }} +{{- if (and (has . $CRDNamespaces) $.Values.providers.kubernetesCRD.enabled) }} - apiGroups: - traefik.io {{- if semverCompare "<3.0.0-0" (default $.Chart.AppVersion $.Values.image.tag) }} @@ -59,14 +65,15 @@ rules: - list - watch {{- end -}} -{{- if .Values.podSecurityPolicy.enabled }} +{{- if $.Values.podSecurityPolicy.enabled }} - apiGroups: - extensions resourceNames: - - {{ template "traefik.fullname" . }} + - {{ template "traefik.fullname" $ }} resources: - podsecuritypolicies verbs: - use {{- end -}} {{- end -}} +{{- end -}} diff --git a/traefik/templates/rbac/rolebinding.yaml b/traefik/templates/rbac/rolebinding.yaml index 91334b4b2..263a2e05a 100644 --- a/traefik/templates/rbac/rolebinding.yaml +++ b/traefik/templates/rbac/rolebinding.yaml @@ -1,17 +1,24 @@ +{{- $ingressNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}} +{{- $CRDNamespaces := default (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}} +{{- $allNamespaces := uniq (concat $ingressNamespaces $CRDNamespaces) -}} + {{- if and .Values.rbac.enabled .Values.rbac.namespaced }} +{{- range $allNamespaces }} +--- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: {{ template "traefik.fullname" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ template "traefik.fullname" $ }} + namespace: {{ . }} labels: - {{- include "traefik.labels" . | nindent 4 }} + {{- include "traefik.labels" $ | nindent 4 }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: {{ template "traefik.fullname" . }} + name: {{ template "traefik.fullname" $ }} subjects: - kind: ServiceAccount - name: {{ include "traefik.serviceAccountName" . }} - namespace: {{ template "traefik.namespace" . }} + name: {{ include "traefik.serviceAccountName" $ }} + namespace: {{ template "traefik.namespace" $ }} +{{- end -}} {{- end -}} From dfead37f2d3c62b227c1316ed3e34588091f4be1 Mon Sep 17 00:00:00 2001 From: Jesper Noordsij Date: Thu, 27 Jul 2023 17:55:51 +0200 Subject: [PATCH 3/4] Add basic test for multi-namespaces roles and rolebindings --- traefik/tests/rbac-config_test.yaml | 50 +++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml index 3b653edd7..2f05dbfbb 100644 --- a/traefik/tests/rbac-config_test.yaml +++ b/traefik/tests/rbac-config_test.yaml @@ -175,6 +175,56 @@ tests: path: metadata.namespace value: NAMESPACE template: rbac/serviceaccount.yaml + - it: should use multiple namespaces if provided + set: + providers: + kubernetesCRD: + namespaces: + - default + - foo + kubernetesIngress: + namespaces: + - default + - bar + rbac: + namespaced: true + asserts: + - hasDocuments: + count: 3 + template: rbac/role.yaml + - hasDocuments: + count: 3 + template: rbac/rolebinding.yaml + - equal: + path: metadata.namespace + value: default + template: rbac/role.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/role.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/role.yaml + documentIndex: 2 + - equal: + path: metadata.namespace + value: default + template: rbac/rolebinding.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/rolebinding.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/rolebinding.yaml + documentIndex: 2 - it: should accept overridden namespace set: namespaceOverride: "traefik-ns-override" From 4e1ec202d0670e537abf45bb1ce4b8c52551a0c6 Mon Sep 17 00:00:00 2001 From: Jesper Noordsij Date: Fri, 28 Jul 2023 14:25:35 +0200 Subject: [PATCH 4/4] Add tests for providing namespaces to providers individually --- traefik/tests/rbac-config_test.yaml | 94 ++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml index 2f05dbfbb..703adb1b1 100644 --- a/traefik/tests/rbac-config_test.yaml +++ b/traefik/tests/rbac-config_test.yaml @@ -175,7 +175,99 @@ tests: path: metadata.namespace value: NAMESPACE template: rbac/serviceaccount.yaml - - it: should use multiple namespaces if provided + - it: should use multiple namespaces if provided to kubernetesCRD + set: + providers: + kubernetesCRD: + namespaces: + - default + - foo + rbac: + namespaced: true + asserts: + - hasDocuments: + count: 3 + template: rbac/role.yaml + - hasDocuments: + count: 3 + template: rbac/rolebinding.yaml + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/role.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: default + template: rbac/role.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/role.yaml + documentIndex: 2 + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/rolebinding.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: default + template: rbac/rolebinding.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: foo + template: rbac/rolebinding.yaml + documentIndex: 2 + - it: should use multiple namespaces if provided to kubernetesIngress + set: + providers: + kubernetesIngress: + namespaces: + - default + - bar + rbac: + namespaced: true + asserts: + - hasDocuments: + count: 3 + template: rbac/role.yaml + - hasDocuments: + count: 3 + template: rbac/rolebinding.yaml + - equal: + path: metadata.namespace + value: default + template: rbac/role.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/role.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/role.yaml + documentIndex: 2 + - equal: + path: metadata.namespace + value: default + template: rbac/rolebinding.yaml + documentIndex: 0 + - equal: + path: metadata.namespace + value: bar + template: rbac/rolebinding.yaml + documentIndex: 1 + - equal: + path: metadata.namespace + value: NAMESPACE + template: rbac/rolebinding.yaml + documentIndex: 2 + - it: should use multiple namespaces if provided to both providers set: providers: kubernetesCRD: