Merge branch 'helm-without-clusterroles' into 'master'

Reduce cluster admin permissions for Helm chart Closes #113 See merge request !268

Merge branch 'helm-without-clusterroles' into 'master'
08bde667 · Sören Henning · 23b6eaf1 · a841f4ed · 08bde667 · 08bde667
Commit 08bde667 authored 3 years ago by Sören Henning
--- a/helm/templates/prometheus/operator-role-binding.yaml
+++ b/helm/templates/prometheus/operator-role-binding.yaml
+{{- if not (index .Values "kube-prometheus-stack" "global" "rbac" "create") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+  labels:
+    app: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+subjects:
+- kind: ServiceAccount
+  name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+  namespace: {{ .Release.Namespace }}
+{{- end }}
--- a/helm/templates/prometheus/operator-role.yaml
+++ b/helm/templates/prometheus/operator-role.yaml
+{{- if not (index .Values "kube-prometheus-stack" "global" "rbac" "create") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "theodolite.fullname" . }}-kube-prometheus-operator
+  labels:
+    app: {{ template "theodolite.name" . }}-kube-prometheus-operator
+rules:
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - alertmanagers
+  - alertmanagers/finalizers
+  - alertmanagerconfigs
+  - prometheuses
+  - prometheuses/finalizers
+  - thanosrulers
+  - thanosrulers/finalizers
+  - servicemonitors
+  - podmonitors
+  - probes
+  - prometheusrules
+  verbs:
+  - '*'
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - services/finalizers
+  - endpoints
+  verbs:
+  - get
+  - create
+  - update
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - networking.k8s.io
+  resources:
+  - ingresses
+  verbs:
+  - get
+  - list
+  - watch
+{{- end }}
--- a/helm/templates/prometheus/cluster-role-binding.yaml
+++ b/helm/templates/prometheus/cluster-role-binding.yaml
-{{- if .Values.prometheus.clusterRoleBinding.enabled -}}
+{{- if .Values.prometheus.roleBinding.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
  name: {{ template "theodolite.fullname" . }}-prometheus
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
  name: {{ template "theodolite.fullname" . }}-prometheus
 subjects:
 - kind: ServiceAccount
  name: {{ template "theodolite.fullname" . }}-prometheus
  namespace: {{ .Release.Namespace }}
-{{- end}}
\ No newline at end of file
+{{- end}}
--- a/helm/templates/prometheus/cluster-role.yaml
+++ b/helm/templates/prometheus/cluster-role.yaml
-{{- if .Values.prometheus.clusterRole.enabled -}}
+{{- if .Values.prometheus.role.enabled -}}
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
  name: {{ template "theodolite.fullname" . }}-prometheus
 rules:
 - apiGroups: [""]
  resources:
-  - nodes
  - services
  - endpoints
  - pods
@@ -15,6 +14,4 @@ rules:
  resources:
  - configmaps
  verbs: ["get"]
- nonResourceURLs: ["/metrics"]
-  verbs: ["get"]
-{{- end }}
\ No newline at end of file
+{{- end}}
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -5,7 +5,7 @@
 kafkaClient:
  enabled: false
  nodeSelector: {}
-  
+

 ####
 ## configuration of sub charts
@@ -52,6 +52,9 @@ grafana:
  service:
    nodePort: 31199
    type: NodePort
+  rbac:
+    pspEnabled: false
+    namespaced: true


 ###
@@ -155,6 +158,9 @@ cp-helm-charts:
  ## The interval between refreshing metrics
  pollIntervalSeconds: 15

+strimzi-kafka-operator:
+  createGlobalResources: true
+
 strimzi:
  enabled: true
  kafka:
@@ -193,6 +199,10 @@ strimzi:
 # Prometheus Monitoring Stack (Prometheus Operator)
 ###
 kube-prometheus-stack:
+  global:
+    rbac:
+      create: false
+
  commonLabels:
    appScope: titan-ccp
  
@@ -238,7 +248,14 @@ kube-prometheus-stack:
      releaseNamespace: true
      additional: []
    nodeSelector: {}
+    admissionWebhooks:
+      enabled: false
+    tls:
+      enabled: false
+    serviceAccount:
+      create: true
  
+  # We use our own Prometheus
  prometheus:
    enabled: false

@@ -250,12 +267,11 @@ prometheus:
  enabled: true
  nodeSelector: {}
  
-  # depends on your cluster security and permission settings, you may need to create the following resources
  serviceAccount:
    enabled: true
-  clusterRole:
+  role:
    enabled: true
-  clusterRoleBinding:
+  roleBinding:
    enabled: true

 ###
@@ -349,7 +365,7 @@ rbac:
  additionalRules: []

 randomScheduler:
-  enabled: true
+  enabled: false
  image: ghcr.io/cau-se/theodolite-random-scheduler
  imageTag: latest
  imagePullPolicy: Always