From f25a76f22468fe69c86e0d563f5580ea9ba62a7c Mon Sep 17 00:00:00 2001 From: Sami Alajrami Date: Mon, 16 Dec 2024 14:17:53 +0100 Subject: [PATCH] allow deploying helm chart for one namespace with limited permissions (#389) --- charts/k8s-reporter/Chart.yaml | 4 +- charts/k8s-reporter/README.md | 65 +++++++++++++++---- charts/k8s-reporter/_templates.gotmpl | 55 +++++++++++++--- .../k8s-reporter/templates/clusterrole.yaml | 4 +- .../templates/clusterrolebinding.yaml | 4 +- charts/k8s-reporter/templates/role.yaml | 13 ++++ .../k8s-reporter/templates/rolebinding.yaml | 17 +++++ charts/k8s-reporter/values.yaml | 7 +- 8 files changed, 139 insertions(+), 30 deletions(-) create mode 100644 charts/k8s-reporter/templates/role.yaml create mode 100644 charts/k8s-reporter/templates/rolebinding.yaml diff --git a/charts/k8s-reporter/Chart.yaml b/charts/k8s-reporter/Chart.yaml index 6505a97f1..b712d4b41 100644 --- a/charts/k8s-reporter/Chart.yaml +++ b/charts/k8s-reporter/Chart.yaml @@ -15,10 +15,10 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.5.1 +version: 1.6.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. # It is recommended to use it with quotes. -appVersion: "2.10.13" +appVersion: "2.11.3" diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md index c0258df85..cac5ad44d 100644 --- a/charts/k8s-reporter/README.md +++ b/charts/k8s-reporter/README.md @@ -4,7 +4,7 @@ title: Kubernetes Reporter Helm Chart # k8s-reporter -![Version: 1.5.1](https://img.shields.io/badge/Version-1.5.1-informational?style=flat-square) +![Version: 1.6.0](https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square) A Helm chart for installing the Kosli K8S reporter as a cronjob. The chart allows you to create a Kubernetes cronjob and all its necessary RBAC to report running images to Kosli at a given cron schedule. @@ -13,30 +13,66 @@ The chart allows you to create a Kubernetes cronjob and all its necessary RBAC t - A Kubernetes cluster (minimum supported version is `v1.21`) - Helm v3.0+ -- Create a secret for the Kosli API token which will be used for reporting. You can create a secret by running: `kubectl create secret generic --from-literal==` +- If you want to report artifacts from just one namespace, you need to have permissions to `get` and `list` pods in that namespace. +- If you want to report artifacts from multiple namespaces or entire cluster, you need to have cluster-wide permissions to `get` and `list` pods. ## Installing the chart To install this chart via the Helm chart repository: -```shell -helm repo add kosli https://charts.kosli.com/ -helm repo update -helm install [RELEASE-NAME] kosli/k8s-reporter -f [VALUES-FILE-PATH] +1. Add the Kosli helm repo +```shell {.command} +helm repo add kosli https://charts.kosli.com/ && helm repo update +``` + +2. Create a secret for the Kosli API token +```shell {.command} +kubectl create secret generic kosli-api-token --from-literal=key= +``` + +3. Install the helm chart + +A. To report artifacts running in entire cluster (requires cluster-wide read permissions): + +```shell {.command} +helm install kosli-reporter kosli/k8s-reporter \ + --set reporterConfig.kosliOrg= \ + --set reporterConfig.kosliEnvironmentName= +``` + +B. To report artifacts running in multiple namespaces (requires cluster-wide read permissions): + +```shell {.command} +helm install kosli-reporter kosli/k8s-reporter \ + --set reporterConfig.kosliOrg= \ + --set reporterConfig.kosliEnvironmentName= \ + --set reporterConfig.namespaces= +``` + +C. To report artifacts running in one namespace (requires namespace-scoped read permissions): + +```shell {.command} +helm install kosli-reporter kosli/k8s-reporter \ + --set reporterConfig.kosliOrg= \ + --set reporterConfig.kosliEnvironmentName= \ + --set reporterConfig.namespaces= \ + --set serviceAccount.permissionScope=namespace ``` > Chart source can be found at https://github.com/kosli-dev/cli/tree/main/charts/k8s-reporter +> See all available [configuration options](#configurations) below. + ## Upgrading the chart -```shell -helm upgrade [RELEASE-NAME] kosli/k8s-reporter +```shell {.command} +helm upgrade kosli-reporter kosli/k8s-reporter ... ``` ## Uninstalling chart -```shell -helm uninstall [RELEASE-NAME] +```shell {.command} +helm uninstall kosli-reporter ``` ## Configurations @@ -46,23 +82,24 @@ helm uninstall [RELEASE-NAME] | fullnameOverride | string | `""` | overrides the fullname used for the created k8s resources. It has higher precedence than `nameOverride` | | image.pullPolicy | string | `"IfNotPresent"` | the kosli reporter image pull policy | | image.repository | string | `"ghcr.io/kosli-dev/cli"` | the kosli reporter image repository | -| image.tag | string | `"v2.10.13"` | the kosli reporter image tag, overrides the image tag whose default is the chart appVersion. | +| image.tag | string | `"v2.11.3"` | the kosli reporter image tag, overrides the image tag whose default is the chart appVersion. | | kosliApiToken.secretKey | string | `"key"` | the name of the key in the secret data which contains the Kosli API token | | kosliApiToken.secretName | string | `"kosli-api-token"` | the name of the secret containing the kosli API token | | nameOverride | string | `""` | overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one | -| podAnnotations | object | `{}` | | +| podAnnotations | object | `{}` | any custom annotations to be added to the cronjob | | reporterConfig.dryRun | bool | `false` | whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. | | reporterConfig.httpProxy | string | `""` | the http proxy url | | reporterConfig.kosliEnvironmentName | string | `""` | the name of Kosli environment that the k8s cluster/namespace correlates to | | reporterConfig.kosliOrg | string | `""` | the name of the Kosli org | -| reporterConfig.namespaces | string | `""` | the namespaces which represent the environment. It is a comma separated list of namespace name regex patterns. e.g. `^prod$,^dev-*` reports for the `prod` namespace and any namespace that starts with `dev-` leave this unset if you want to report what is running in the entire cluster | +| reporterConfig.namespaces | string | `""` | the namespaces which represent the environment. It is a comma separated list of namespace names. leave this unset if you want to report what is running in the entire cluster | | resources.limits.cpu | string | `"100m"` | the cpu limit | | resources.limits.memory | string | `"256Mi"` | the memory limit | | resources.requests.memory | string | `"64Mi"` | the memory request | | serviceAccount.annotations | object | `{}` | annotations to add to the service account | | serviceAccount.create | bool | `true` | specifies whether a service account should be created | | serviceAccount.name | string | `""` | the name of the service account to use. If not set and create is true, a name is generated using the fullname template | +| serviceAccount.permissionScope | string | `"cluster"` | specifies whether to create a cluster-wide permissions for the service account or namespace-scoped permissions. allowed values are: [cluster, namespace] | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/k8s-reporter/_templates.gotmpl b/charts/k8s-reporter/_templates.gotmpl index 823201343..8c09b36d2 100644 --- a/charts/k8s-reporter/_templates.gotmpl +++ b/charts/k8s-reporter/_templates.gotmpl @@ -7,7 +7,8 @@ The chart allows you to create a Kubernetes cronjob and all its necessary RBAC t - A Kubernetes cluster (minimum supported version is `v1.21`) - Helm v3.0+ -- Create a secret for the Kosli API token which will be used for reporting. You can create a secret by running: `kubectl create secret generic --from-literal==` +- If you want to report artifacts from just one namespace, you need to have permissions to `get` and `list` pods in that namespace. +- If you want to report artifacts from multiple namespaces or entire cluster, you need to have cluster-wide permissions to `get` and `list` pods. {{- end }} {{ define "extra.install" -}} @@ -15,28 +16,64 @@ The chart allows you to create a Kubernetes cronjob and all its necessary RBAC t To install this chart via the Helm chart repository: -```shell -helm repo add kosli https://charts.kosli.com/ -helm repo update -helm install [RELEASE-NAME] kosli/k8s-reporter -f [VALUES-FILE-PATH] +1. Add the Kosli helm repo +```shell {.command} +helm repo add kosli https://charts.kosli.com/ && helm repo update +``` + +2. Create a secret for the Kosli API token +```shell {.command} +kubectl create secret generic kosli-api-token --from-literal=key= +``` + +3. Install the helm chart + +A. To report artifacts running in entire cluster (requires cluster-wide read permissions): + +```shell {.command} +helm install kosli-reporter kosli/k8s-reporter \ + --set reporterConfig.kosliOrg= \ + --set reporterConfig.kosliEnvironmentName= +``` + +B. To report artifacts running in multiple namespaces (requires cluster-wide read permissions): + +```shell {.command} +helm install kosli-reporter kosli/k8s-reporter \ + --set reporterConfig.kosliOrg= \ + --set reporterConfig.kosliEnvironmentName= \ + --set reporterConfig.namespaces= +``` + +C. To report artifacts running in one namespace (requires namespace-scoped read permissions): + +```shell {.command} +helm install kosli-reporter kosli/k8s-reporter \ + --set reporterConfig.kosliOrg= \ + --set reporterConfig.kosliEnvironmentName= \ + --set reporterConfig.namespaces= \ + --set serviceAccount.permissionScope=namespace ``` > Chart source can be found at https://github.com/kosli-dev/cli/tree/main/charts/k8s-reporter + +> See all available [configuration options](#configurations) below. + {{- end }} {{ define "extra.upgrade" -}} ## Upgrading the chart -```shell -helm upgrade [RELEASE-NAME] kosli/k8s-reporter +```shell {.command} +helm upgrade kosli-reporter kosli/k8s-reporter ... ``` {{- end }} {{ define "extra.uninstall" -}} ## Uninstalling chart -```shell -helm uninstall [RELEASE-NAME] +```shell {.command} +helm uninstall kosli-reporter ``` {{- end }} diff --git a/charts/k8s-reporter/templates/clusterrole.yaml b/charts/k8s-reporter/templates/clusterrole.yaml index a4b40f949..f2182048d 100644 --- a/charts/k8s-reporter/templates/clusterrole.yaml +++ b/charts/k8s-reporter/templates/clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.serviceAccount.create (eq .Values.serviceAccount.permissionScope "cluster") -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -11,4 +12,5 @@ rules: verbs: ["get", "list"] - apiGroups: [""] resources: ["pods"] - verbs: ["get", "list"] \ No newline at end of file + verbs: ["get", "list"] +{{- end }} \ No newline at end of file diff --git a/charts/k8s-reporter/templates/clusterrolebinding.yaml b/charts/k8s-reporter/templates/clusterrolebinding.yaml index 90ddca29f..5cf0a9f36 100644 --- a/charts/k8s-reporter/templates/clusterrolebinding.yaml +++ b/charts/k8s-reporter/templates/clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if and .Values.serviceAccount.create (eq .Values.serviceAccount.permissionScope "cluster") -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -12,4 +13,5 @@ subjects: roleRef: kind: ClusterRole name: {{ include "reporter.fullname" . }} - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/charts/k8s-reporter/templates/role.yaml b/charts/k8s-reporter/templates/role.yaml new file mode 100644 index 000000000..5f830a483 --- /dev/null +++ b/charts/k8s-reporter/templates/role.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.serviceAccount.create (eq .Values.serviceAccount.permissionScope "namespace") -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "reporter.fullname" . }} + labels: + {{- include "reporter.labels" . | nindent 4 }} + +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] +{{- end }} \ No newline at end of file diff --git a/charts/k8s-reporter/templates/rolebinding.yaml b/charts/k8s-reporter/templates/rolebinding.yaml new file mode 100644 index 000000000..4c18198c9 --- /dev/null +++ b/charts/k8s-reporter/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.serviceAccount.create (eq .Values.serviceAccount.permissionScope "namespace") -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "reporter.fullname" . }} + labels: + {{- include "reporter.labels" . | nindent 4 }} + +subjects: +- kind: ServiceAccount + name: {{ include "reporter.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "reporter.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} \ No newline at end of file diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml index 7bab12f2e..5da9c4f8f 100644 --- a/charts/k8s-reporter/values.yaml +++ b/charts/k8s-reporter/values.yaml @@ -8,7 +8,7 @@ image: # -- the kosli reporter image pull policy pullPolicy: IfNotPresent # -- the kosli reporter image tag, overrides the image tag whose default is the chart appVersion. - tag: "v2.10.13" + tag: "v2.11.3" # -- overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one nameOverride: "" @@ -18,6 +18,8 @@ fullnameOverride: "" serviceAccount: # -- specifies whether a service account should be created create: true + # -- specifies whether to create a cluster-wide permissions for the service account or namespace-scoped permissions. allowed values are: [cluster, namespace] + permissionScope: cluster # -- annotations to add to the service account annotations: {} # -- the name of the service account to use. @@ -39,8 +41,7 @@ reporterConfig: # -- the name of Kosli environment that the k8s cluster/namespace correlates to kosliEnvironmentName: "" # -- the namespaces which represent the environment. - # It is a comma separated list of namespace name regex patterns. - # e.g. `^prod$,^dev-*` reports for the `prod` namespace and any namespace that starts with `dev-` + # It is a comma separated list of namespace names. # leave this unset if you want to report what is running in the entire cluster namespaces: "" # -- whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli.