From 1cd1a26d35d0ee89a65d0047ea66963c3dc83973 Mon Sep 17 00:00:00 2001
From: Stano Bocinec <stano@redpanda.com>
Date: Thu, 4 May 2023 16:18:07 +0200
Subject: [PATCH] Add RBAC role, constrain pods write ops to namespace

Signed-off-by: Stano Bocinec <stano@redpanda.com>
---
 .../templates/clusterrole.yaml                | 27 +++++++++-------
 .../templates/role.yaml                       | 13 ++++++++
 .../templates/rolebinding.yaml                | 17 ++++++++++
 deploy/local-path-storage.yaml                | 31 ++++++++++++++++++-
 examples/quota/local-path-storage.yaml        | 31 ++++++++++++++++++-
 5 files changed, 105 insertions(+), 14 deletions(-)
 create mode 100644 deploy/chart/local-path-provisioner/templates/role.yaml
 create mode 100644 deploy/chart/local-path-provisioner/templates/rolebinding.yaml

diff --git a/deploy/chart/local-path-provisioner/templates/clusterrole.yaml b/deploy/chart/local-path-provisioner/templates/clusterrole.yaml
index a9fd1c67..7f58506a 100644
--- a/deploy/chart/local-path-provisioner/templates/clusterrole.yaml
+++ b/deploy/chart/local-path-provisioner/templates/clusterrole.yaml
@@ -6,16 +6,19 @@ metadata:
   labels:
 {{ include "local-path-provisioner.labels" . | indent 4 }}
 rules:
-- apiGroups: [""]
-  resources: ["nodes", "persistentvolumeclaims", "configmaps"]
-  verbs: ["get", "list", "watch"]
-- apiGroups: [""]
-  resources: ["endpoints", "persistentvolumes", "pods"]
-  verbs: ["*"]
-- apiGroups: [""]
-  resources: ["events"]
-  verbs: ["create", "patch"]
-- apiGroups: ["storage.k8s.io"]
-  resources: ["storageclasses"]
-  verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["nodes", "persistentvolumeclaims", "configmaps"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [""]
+    resources: ["endpoints", "persistentvolumes"]
+    verbs: ["*"]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "create", "patch" ]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
 {{- end -}}
diff --git a/deploy/chart/local-path-provisioner/templates/role.yaml b/deploy/chart/local-path-provisioner/templates/role.yaml
new file mode 100644
index 00000000..9562816b
--- /dev/null
+++ b/deploy/chart/local-path-provisioner/templates/role.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "local-path-provisioner.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "local-path-provisioner.labels" . | indent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+{{- end -}}
diff --git a/deploy/chart/local-path-provisioner/templates/rolebinding.yaml b/deploy/chart/local-path-provisioner/templates/rolebinding.yaml
new file mode 100644
index 00000000..53295c31
--- /dev/null
+++ b/deploy/chart/local-path-provisioner/templates/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "local-path-provisioner.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "local-path-provisioner.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "local-path-provisioner.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "local-path-provisioner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
diff --git a/deploy/local-path-storage.yaml b/deploy/local-path-storage.yaml
index 2130dfea..81864f05 100644
--- a/deploy/local-path-storage.yaml
+++ b/deploy/local-path-storage.yaml
@@ -10,6 +10,17 @@ metadata:
   name: local-path-provisioner-service-account
   namespace: local-path-storage
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: local-path-provisioner-role
+  namespace: local-path-storage
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -20,7 +31,10 @@ rules:
     resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
     verbs: [ "get", "list", "watch" ]
   - apiGroups: [ "" ]
-    resources: [ "endpoints", "persistentvolumes", "pods" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints", "persistentvolumes" ]
     verbs: [ "*" ]
   - apiGroups: [ "" ]
     resources: [ "events" ]
@@ -29,6 +43,21 @@ rules:
     resources: [ "storageclasses" ]
     verbs: [ "get", "list", "watch" ]
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: local-path-storage
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: local-path-storage
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
diff --git a/examples/quota/local-path-storage.yaml b/examples/quota/local-path-storage.yaml
index 9edb948e..e489eca7 100644
--- a/examples/quota/local-path-storage.yaml
+++ b/examples/quota/local-path-storage.yaml
@@ -10,6 +10,17 @@ metadata:
   name: local-path-provisioner-service-account
   namespace: local-path-storage
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: local-path-provisioner-role
+  namespace: local-path-storage
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -20,7 +31,10 @@ rules:
     resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
     verbs: [ "get", "list", "watch" ]
   - apiGroups: [ "" ]
-    resources: [ "endpoints", "persistentvolumes", "pods" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints", "persistentvolumes" ]
     verbs: [ "*" ]
   - apiGroups: [ "" ]
     resources: [ "events" ]
@@ -29,6 +43,21 @@ rules:
     resources: [ "storageclasses" ]
     verbs: [ "get", "list", "watch" ]
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: local-path-storage
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: local-path-storage
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
-- 
GitLab