Add role support of individual verbs list for different resources
What does this MR do?
Add role support of individual verbs list for different resources.
The new values allow to define a list of rules next to the existing resources+verbs values. Each rule will support the optional keys with default values:
- apiGroups: default "" (indicates the core API group) if missing or empty.
- resources: default "*" if missing or empty.
- verbs: default "*" if missing or empty.
The existing rbac.resources + rbac.verbs values are marked as DEPRECATED to keep backward compatibility with older versions of values.yaml, while informing that this configuration will be
supported only by rbac.roles in future releases.
Why was this MR needed?
The role rules definition supports the definition of only one list of resources with its corresponding verbs list.
The problem is that not all resources support the same list of verbs and the current implementation can lead to deployment errors on hardened k8s clusters that require explicit rules and reject *.
What's the best way to test this MR?
Test generating the role resource with different values:
Default values
## For RBAC support:
rbac:
create: true
## Define specific rbac permissions.
## DEPRECATED: see .Values.rbac.rules
resources: ["pods", "pods/exec", "secrets"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
## Define list of rules to be added to the rbac role permissions.
## Each rule supports the keys:
## - apiGroups: default "" (indicates the core API group) if missing or empty.
## - resources: default "*" if missing or empty.
## - verbs: default "*" if missing or empty.
rules: []
# - resources: ["pods", "secrets"]
# verbs: ["get", "list", "watch", "create", "patch", "delete"]
# - apiGroups: [""]
# resources: ["pods/exec"]
# verbs: ["create", "patch", "delete"]custom resources + verbs and default roles
## For RBAC support:
rbac:
create: true
## Define specific rbac permissions.
## DEPRECATED: see .Values.rbac.rules
resources: ["pods", "pods/exec", "secrets"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
## Define list of rules to be added to the rbac role permissions.
## Each rule supports the keys:
## - apiGroups: default "" (indicates the core API group) if missing or empty.
## - resources: default "*" if missing or empty.
## - verbs: default "*" if missing or empty.
rules: []
# - resources: ["pods", "secrets"]
# verbs: ["get", "list", "watch", "create", "patch", "delete"]
# - apiGroups: [""]
# resources: ["pods/exec"]
# verbs: ["create", "patch", "delete"]default resources + verbs and custom roles
## For RBAC support:
rbac:
create: true
## Define specific rbac permissions.
## DEPRECATED: see .Values.rbac.rules
# resources: ["pods", "pods/exec", "secrets"]
# verbs: ["get", "list", "watch", "create", "patch", "delete"]
## Define list of rules to be added to the rbac role permissions.
## Each rule supports the keys:
## - apiGroups: default "" (indicates the core API group) if missing or empty.
## - resources: default "*" if missing or empty.
## - verbs: default "*" if missing or empty.
rules: #[]
- resources: ["pods", "secrets"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "patch", "delete"]custom `resources + verbs` and custom roles
## For RBAC support:
rbac:
create: true
## Define specific rbac permissions.
## DEPRECATED: see .Values.rbac.rules
resources: ["pods", "pods/exec", "secrets"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
## Define list of rules to be added to the rbac role permissions.
## Each rule supports the keys:
## - apiGroups: default "" (indicates the core API group) if missing or empty.
## - resources: default "*" if missing or empty.
## - verbs: default "*" if missing or empty.
rules: #[]
- resources: ["pods", "secrets"]
verbs: ["get", "list", "watch", "create", "patch", "delete"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create", "patch", "delete"]What are the relevant issue numbers?
Implement #245 (closed)