From 87fef34013296f8bcfda406a9c3325942e5401c5 Mon Sep 17 00:00:00 2001 From: alexisdondon Date: Fri, 15 Apr 2022 12:51:59 +0000 Subject: [PATCH 1/2] suggestion of service account minPrivilege --- .../templates/cluster-role-binding.yaml | 33 +++++++++++++++++++ charts/onyxia/values.yaml | 5 ++- 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/charts/onyxia/templates/cluster-role-binding.yaml b/charts/onyxia/templates/cluster-role-binding.yaml index 63712ea..ac9a554 100644 --- a/charts/onyxia/templates/cluster-role-binding.yaml +++ b/charts/onyxia/templates/cluster-role-binding.yaml @@ -15,4 +15,37 @@ subjects: name: {{ include "onyxia.api.serviceAccountName" . }} namespace: {{ .Release.Namespace }} {{- end -}} +{{- if .Values.serviceAccount.clusterMinPrivilege -}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: clusterMinPrivilegeRole +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["rolebindings"] + verbs: ["create"] +- apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles"] + verbs: ["bind"] + resourceNames: ["admin","edit","view"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "onyxia.fullname" . }} + labels: + {{- include "onyxia.api.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: clusterMinPrivilegeRole +subjects: +- kind: ServiceAccount + name: {{ include "onyxia.api.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} {{- end -}} \ No newline at end of file diff --git a/charts/onyxia/values.yaml b/charts/onyxia/values.yaml index c68781d..958755e 100644 --- a/charts/onyxia/values.yaml +++ b/charts/onyxia/values.yaml @@ -7,7 +7,10 @@ imagePullSecrets: [] serviceAccount: # Specifies whether a service account should be created create: true - clusterAdmin: false # If true, give cluster admin permissions. Otherwise, be admin scoped to the namespace + clusterAdmin: false + clusterMinPrivilege: false + # If clusterAdmintrue, give cluster admin permissions. Otherwise, be admin scoped to the namespace + # If clusterMinPrivilege, try to stick to the minprileve neeeded by api # Annotations to add to the service account annotations: {} # The name of the service account to use. From 97b4b6d10bd61a0fe089a89759c86a44949cb066 Mon Sep 17 00:00:00 2001 From: alexisdondon Date: Fri, 15 Apr 2022 14:41:26 +0000 Subject: [PATCH 2/2] chart version --- charts/onyxia/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/onyxia/Chart.yaml b/charts/onyxia/Chart.yaml index 67ea4bf..aa69bd7 100644 --- a/charts/onyxia/Chart.yaml +++ b/charts/onyxia/Chart.yaml @@ -14,7 +14,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. -version: 3.1.0 +version: 3.2.0 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application.