[flink-kubernetes-operator] branch main updated: [FLINK-26308] Limit RBAC to namespaces watched

Thu, 03 Mar 2022 02:28:40 -0800 

This is an automated email from the ASF dual-hosted git repository.

mbalassi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git


The following commit(s) were added to refs/heads/main by this push:
     new f977e12  [FLINK-26308] Limit RBAC to namespaces watched
f977e12 is described below

commit f977e12ce4c1346e09c89263cb553920260194e1
Author: Marton Balassi <[email protected]>
AuthorDate: Mon Feb 28 22:18:08 2022 +0100

    [FLINK-26308] Limit RBAC to namespaces watched
    
    Closes #35
---
 README.md                                         |  1 +
 helm/flink-operator/templates/rbac.yaml           | 66 +++++++++++++++++++----
 helm/flink-operator/templates/serviceaccount.yaml | 17 ++++++
 helm/flink-operator/values.yaml                   |  3 +-
 4 files changed, 76 insertions(+), 11 deletions(-)

diff --git a/README.md b/README.md
index aecad31..9ab03ae 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,7 @@ The webhook can be disabled during helm install by passing 
the `--set webhook.cr
 ### Watching only specific namespaces
 
 The operator supports watching a specific list of namespaces for 
FlinkDeployment resources. You can enable it by setting the `--set 
watchNamespaces={flink-test}` parameter.
+When this is enabled role-based access control is only created specifically 
for these namespaces for the operator and the jobmanagers, otherwise it 
defaults to cluster scope.
 
 ## User Guide
 ### Create a new Flink deployment
diff --git a/helm/flink-operator/templates/rbac.yaml 
b/helm/flink-operator/templates/rbac.yaml
index 36b92a1..b9c4418 100644
--- a/helm/flink-operator/templates/rbac.yaml
+++ b/helm/flink-operator/templates/rbac.yaml
@@ -16,16 +16,10 @@
 # limitations under the License.
 
################################################################################
 
----
-{{- if .Values.rbac.create }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: flink-operator
-  namespace: {{ .Values.operatorNamespace.name }}
-  labels:
-    {{- include "flink-operator.labels" . | nindent 4 }}
+{{/*
+RBAC rules used to create the (cluster)role based on the operator scope
+*/}}
+{{- define "flink-operator.rbacRules" }}
 rules:
   - apiGroups:
       - flink-operator
@@ -73,6 +67,57 @@ rules:
       - ingresses
     verbs:
       - "*"
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+---
+{{/*
+Namespaced scoped RBAC.
+*/}}
+{{- if .Values.watchNamespaces }}
+{{- range .Values.watchNamespaces }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: flink-operator
+  namespace: {{ . }}
+  labels:
+    {{- include "flink-operator.labels" $ | nindent 4 }}
+{{- template "flink-operator.rbacRules" $ }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: flink-operator-role-binding
+  namespace: {{ . }}
+  labels:
+    {{- include "flink-operator.labels" $ | nindent 4 }}
+roleRef:
+  kind: Role
+  name: flink-operator
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "flink-operator.serviceAccountName" $ }}
+    namespace: {{ $.Values.operatorNamespace.name }}
+  - kind: ServiceAccount
+    name: {{ template "flink-operator.serviceAccountName" $ }}
+    namespace: {{ . }}
+---
+{{- end }}
+{{ else }}
+{{/*
+Cluster scoped RBAC.
+*/}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: flink-operator
+  namespace: {{ .Values.operatorNamespace.name }}
+  labels:
+    {{- include "flink-operator.labels" . | nindent 4 }}
+{{- template "flink-operator.rbacRules" $ }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -90,3 +135,4 @@ subjects:
     name: {{ template "flink-operator.serviceAccountName" . }}
     namespace: {{ .Values.operatorNamespace.name }}
 {{- end }}
+{{- end }}
diff --git a/helm/flink-operator/templates/serviceaccount.yaml 
b/helm/flink-operator/templates/serviceaccount.yaml
index 5e22cbc..b802b2a 100644
--- a/helm/flink-operator/templates/serviceaccount.yaml
+++ b/helm/flink-operator/templates/serviceaccount.yaml
@@ -29,4 +29,21 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+---
+{{- if .Values.watchNamespaces}}
+{{- range .Values.watchNamespaces }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "flink-operator.serviceAccountName" $ }}
+  namespace: {{ . }}
+  labels:
+    {{- include "flink-operator.labels" $ | nindent 4 }}
+  {{- with $.Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml $ | nindent 4 }}
+  {{- end }}
+---
+{{- end }}
+{{- end }}
 {{- end }}
diff --git a/helm/flink-operator/values.yaml b/helm/flink-operator/values.yaml
index 8a289e4..51c059f 100644
--- a/helm/flink-operator/values.yaml
+++ b/helm/flink-operator/values.yaml
@@ -21,7 +21,8 @@
 operatorNamespace:
   name: default
 
-# List of kubernetes namespaces to watch for FlinkDeployment changes, empty 
means all namespaces
+# List of kubernetes namespaces to watch for FlinkDeployment changes, empty 
means all namespaces.
+# When enabled RBAC is only created for said namespaces, otherwise it is done 
for the cluster scope.
 # watchNamespaces: ["flink"]
 
 image:

Reply via email to