From 0c17748c4412b5f6ac8532586ed41accb0471c74 Mon Sep 17 00:00:00 2001 From: Reddysekhar Gaduputi Date: Mon, 3 Jun 2024 14:47:23 +0530 Subject: [PATCH] Chart: Make admission webhook patch job RBAC configurable. (#11376) * Add an option to skip rbac resources creation in helm chart for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi * Add an option to skip rbac resources creation in helm chart update README (#11375) Signed-off-by: Reddysekhar Gaduputi * Add an option to skip serviceAccount resources creation in helm chart for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi * Add helm chart tests for admission-webhooks (#11375) Signed-off-by: Reddysekhar Gaduputi * Chart make admission webhook patch job RBAC configurable (#11375) Signed-off-by: Reddysekhar Gaduputi * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml Co-authored-by: Marco Ebert * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml Co-authored-by: Marco Ebert * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml Co-authored-by: Marco Ebert * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml Co-authored-by: Marco Ebert * Update charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml Co-authored-by: Marco Ebert --------- Signed-off-by: Reddysekhar Gaduputi Co-authored-by: Marco Ebert --- charts/ingress-nginx/README.md | 6 +++ charts/ingress-nginx/templates/_helpers.tpl | 11 +++++ .../job-patch/clusterrole.yaml | 2 +- .../job-patch/clusterrolebinding.yaml | 4 +- .../job-patch/job-createSecret.yaml | 2 +- .../job-patch/job-patchWebhook.yaml | 2 +- .../admission-webhooks/job-patch/role.yaml | 2 +- .../job-patch/rolebinding.yaml | 4 +- .../job-patch/serviceaccount.yaml | 5 +- .../job-patch/clusterrole_test.yaml | 11 +++++ .../job-patch/clusterrolebinding_test.yaml | 11 +++++ .../job-patch/role_test.yaml | 11 +++++ .../job-patch/rolebinding_test.yaml | 11 +++++ .../job-patch/serviceaccount_test.yaml | 47 +++++++++++++++++++ charts/ingress-nginx/values.yaml | 12 +++++ 15 files changed, 131 insertions(+), 10 deletions(-) create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml create mode 100644 charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml diff --git a/charts/ingress-nginx/README.md b/charts/ingress-nginx/README.md index 2141ef44c..d73a50114 100644 --- a/charts/ingress-nginx/README.md +++ b/charts/ingress-nginx/README.md @@ -263,7 +263,13 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` | | | controller.admissionWebhooks.patch.podAnnotations | object | `{}` | | | controller.admissionWebhooks.patch.priorityClassName | string | `""` | Provide a priority class name to the webhook patching job # | +| controller.admissionWebhooks.patch.rbac | object | `{"create":true}` | Admission webhook patch job RBAC | +| controller.admissionWebhooks.patch.rbac.create | bool | `true` | Create RBAC or not | | controller.admissionWebhooks.patch.securityContext | object | `{}` | Security context for secret creation & webhook patch pods | +| controller.admissionWebhooks.patch.serviceAccount | object | `{"automountServiceAccountToken":true,"create":true,"name":""}` | Admission webhook patch job service account | +| controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token or not | +| controller.admissionWebhooks.patch.serviceAccount.create | bool | `true` | Create a service account or not | +| controller.admissionWebhooks.patch.serviceAccount.name | string | `""` | Custom service account name | | controller.admissionWebhooks.patch.tolerations | list | `[]` | | | controller.admissionWebhooks.patchWebhookJob.name | string | `"patch"` | | | controller.admissionWebhooks.patchWebhookJob.resources | object | `{}` | | diff --git a/charts/ingress-nginx/templates/_helpers.tpl b/charts/ingress-nginx/templates/_helpers.tpl index 9ac2dc569..0c6a3e207 100644 --- a/charts/ingress-nginx/templates/_helpers.tpl +++ b/charts/ingress-nginx/templates/_helpers.tpl @@ -167,6 +167,17 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this {{- printf "%s-%s" (include "ingress-nginx.fullname" .) .Values.controller.admissionWebhooks.name | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Create the name of the admission webhook patch job service account to use +*/}} +{{- define "ingress-nginx.admissionWebhooks.patch.serviceAccountName" -}} +{{- if .Values.controller.admissionWebhooks.patch.serviceAccount.create -}} + {{ default (include "ingress-nginx.admissionWebhooks.fullname" .) .Values.controller.admissionWebhooks.patch.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.controller.admissionWebhooks.patch.serviceAccount.name }} +{{- end -}} +{{- end -}} + {{/* Create a default fully qualified admission webhook secret creation job name. We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml index 8271dc404..a21848201 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml index 3fe842d1f..b89388433 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -18,6 +18,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml index 0a21f856a..176616467 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml @@ -66,7 +66,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.createSecretJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml index ce9985aa5..f7d44a24d 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml @@ -68,7 +68,7 @@ spec: resources: {{ toYaml .Values.controller.admissionWebhooks.patchWebhookJob.resources | nindent 12 }} {{- end }} restartPolicy: OnFailure - serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + serviceAccountName: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} {{- if .Values.controller.admissionWebhooks.patch.nodeSelector }} nodeSelector: {{ toYaml .Values.controller.admissionWebhooks.patch.nodeSelector | nindent 8 }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml index 5b05d9b00..c4b23aa08 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/role.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml index 48a175566..425e8d821 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.rbac.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -19,6 +19,6 @@ roleRef: name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} subjects: - kind: ServiceAccount - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} {{- end }} diff --git a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml index 91bbf22bb..52f94dcce 100644 --- a/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +++ b/charts/ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml @@ -1,8 +1,8 @@ -{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled (not .Values.controller.admissionWebhooks.certManager.enabled) -}} +{{- if and .Values.controller.admissionWebhooks.enabled .Values.controller.admissionWebhooks.patch.enabled .Values.controller.admissionWebhooks.patch.serviceAccount.create (not .Values.controller.admissionWebhooks.certManager.enabled) -}} apiVersion: v1 kind: ServiceAccount metadata: - name: {{ include "ingress-nginx.admissionWebhooks.fullname" . }} + name: {{ include "ingress-nginx.admissionWebhooks.patch.serviceAccountName" . }} namespace: {{ include "ingress-nginx.namespace" . }} annotations: "helm.sh/hook": pre-install,pre-upgrade,post-install,post-upgrade @@ -13,4 +13,5 @@ metadata: {{- with .Values.controller.admissionWebhooks.patch.labels }} {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: {{ .Values.controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken }} {{- end }} diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml new file mode 100644 index 000000000..d7a8b8852 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrole_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > ClusterRole +templates: + - admission-webhooks/job-patch/clusterrole.yaml + +tests: + - it: should not create a ClusterRole if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml new file mode 100644 index 000000000..d7c3266d2 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/clusterrolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > ClusterRoleBinding +templates: + - admission-webhooks/job-patch/clusterrolebinding.yaml + +tests: + - it: should not create a ClusterRoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml new file mode 100644 index 000000000..a236f3d7b --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/role_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > Role +templates: + - admission-webhooks/job-patch/role.yaml + +tests: + - it: should not create a Role if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml new file mode 100644 index 000000000..74abaa163 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/rolebinding_test.yaml @@ -0,0 +1,11 @@ +suite: Admission Webhooks > Patch Job > RoleBinding +templates: + - admission-webhooks/job-patch/rolebinding.yaml + +tests: + - it: should not create a RoleBinding if `controller.admissionWebhooks.patch.rbac.create` is false + set: + controller.admissionWebhooks.patch.rbac.create: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml new file mode 100644 index 000000000..7c30d1e66 --- /dev/null +++ b/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml @@ -0,0 +1,47 @@ +suite: Admission Webhooks > Patch Job > ServiceAccount +templates: + - admission-webhooks/job-patch/serviceaccount.yaml + +tests: + - it: should not create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is false + set: + controller.admissionWebhooks.patch.serviceAccount.create: false + asserts: + - hasDocuments: + count: 0 + + - it: should create a ServiceAccount if `controller.admissionWebhooks.patch.serviceAccount.create` is true + set: + controller.admissionWebhooks.patch.serviceAccount.create: true + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission + + - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set + set: + controller.admissionWebhooks.patch.serviceAccount.name: ingress-nginx-admission-test-sa + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: metadata.name + value: ingress-nginx-admission-test-sa + + - it: should create a ServiceAccount with token auto-mounting disabled if `controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken` is false + set: + controller.admissionWebhooks.patch.serviceAccount.automountServiceAccountToken: false + asserts: + - hasDocuments: + count: 1 + - isKind: + of: ServiceAccount + - equal: + path: automountServiceAccountToken + value: false diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml index 0fd0ccc7b..f09edbe74 100644 --- a/charts/ingress-nginx/values.yaml +++ b/charts/ingress-nginx/values.yaml @@ -822,6 +822,18 @@ controller: labels: {} # -- Security context for secret creation & webhook patch pods securityContext: {} + # -- Admission webhook patch job RBAC + rbac: + # -- Create RBAC or not + create: true + # -- Admission webhook patch job service account + serviceAccount: + # -- Create a service account or not + create: true + # -- Custom service account name + name: "" + # -- Auto-mount service account token or not + automountServiceAccountToken: true # Use certmanager to generate webhook certs certManager: enabled: false