Add RBAC role, constrain pods write ops to namespace

Signed-off-by: Stano Bocinec <stano@redpanda.com> (cherry picked from commit 1cd1a26d)

Add RBAC role, constrain pods write ops to namespace
c5fcfc17 · Stano Bocinec · Derek Su · 74956939 · c5fcfc17 · c5fcfc17
Commit c5fcfc17 authored May 4, 2023 by Stano Bocinec Committed by Derek Su Nov 19, 2023
--- a/deploy/chart/local-path-provisioner/templates/clusterrole.yaml
+++ b/deploy/chart/local-path-provisioner/templates/clusterrole.yaml
@@ -10,7 +10,10 @@ rules:
    resources: ["nodes", "persistentvolumeclaims", "configmaps"]
    verbs: ["get", "list", "watch"]
  - apiGroups: [ "" ]
-  resources: ["endpoints", "persistentvolumes", "pods"]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [""]
+    resources: ["endpoints", "persistentvolumes"]
    verbs: ["*"]
  - apiGroups: [ "" ]
    resources: [ "events" ]

--- a/deploy/chart/local-path-provisioner/templates/role.yaml
+++ b/deploy/chart/local-path-provisioner/templates/role.yaml
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "local-path-provisioner.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "local-path-provisioner.labels" . | indent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+{{- end -}}
--- a/deploy/chart/local-path-provisioner/templates/rolebinding.yaml
+++ b/deploy/chart/local-path-provisioner/templates/rolebinding.yaml
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "local-path-provisioner.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{ include "local-path-provisioner.labels" . | indent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "local-path-provisioner.fullname" . }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "local-path-provisioner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}
--- a/deploy/local-path-storage.yaml
+++ b/deploy/local-path-storage.yaml
@@ -10,6 +10,17 @@ metadata:
  name: local-path-provisioner-service-account
  namespace: local-path-storage

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: local-path-provisioner-role
+  namespace: local-path-storage
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -20,7 +31,10 @@ rules:
    resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "" ]
-    resources: [ "endpoints", "persistentvolumes", "pods" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints", "persistentvolumes" ]
    verbs: [ "*" ]
  - apiGroups: [ "" ]
    resources: [ "events" ]
@@ -29,6 +43,21 @@ rules:
    resources: [ "storageclasses" ]
    verbs: [ "get", "list", "watch" ]

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: local-path-storage
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: local-path-storage
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

--- a/examples/quota/local-path-storage.yaml
+++ b/examples/quota/local-path-storage.yaml
@@ -10,6 +10,17 @@ metadata:
  name: local-path-provisioner-service-account
  namespace: local-path-storage

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: local-path-provisioner-role
+  namespace: local-path-storage
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: ["get", "list", "watch", "create", "patch", "update", "delete"]
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -20,7 +31,10 @@ rules:
    resources: [ "nodes", "persistentvolumeclaims", "configmaps" ]
    verbs: [ "get", "list", "watch" ]
  - apiGroups: [ "" ]
-    resources: [ "endpoints", "persistentvolumes", "pods" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints", "persistentvolumes" ]
    verbs: [ "*" ]
  - apiGroups: [ "" ]
    resources: [ "events" ]
@@ -29,6 +43,21 @@ rules:
    resources: [ "storageclasses" ]
    verbs: [ "get", "list", "watch" ]

+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: local-path-provisioner-bind
+  namespace: local-path-storage
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: local-path-provisioner-role
+subjects:
+  - kind: ServiceAccount
+    name: local-path-provisioner-service-account
+    namespace: local-path-storage
+
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding