Skip to content

Commit

Permalink
Merge pull request #381 from matskiv/update-eks-chart
Browse files Browse the repository at this point in the history 
fix: add sync.* values and RBAC changes to EKS chart
  • Loading branch information
@FabianKramm
FabianKramm authored Feb 17, 2022
2 parents 2b2cc72 + 2f076d8 commit 8c89bf3
Show file tree
Hide file tree
Showing 12 changed files with 206 additions and 63 deletions.
51 changes: 51 additions & 0 deletions charts/eks/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,4 +56,55 @@ Get
{{- $}}
{{- define "vcluster.admin.accessKey" -}}
{{- now | unixEpoch | toString | trunc 8 | sha256sum -}}
{{- end -}}

{{/*
Syncer flags for enabling/disabling controllers
Prints only the flags that modify the defaults:
- when default controller has enabled: false => `- "--sync=-controller`
- when non-default controller has enabled: true => `- "--sync=controller`
*/}}
{{- define "vcluster.syncer.syncArgs" -}}
{{- $defaultEnabled := list "services" "configmaps" "secrets" "endpoints" "pods" "events" "persistentvolumeclaims" "ingresses" "fake-nodes" "fake-persistentvolumes" -}}
{{- range $key, $val := .Values.sync }}
{{- if and (has $key $defaultEnabled) (not $val.enabled) }}
- --sync=-{{ $key }}
{{- else if and (not (has $key $defaultEnabled)) ($val.enabled)}}
- --sync={{ $key }}
{{- end -}}
{{- end -}}
{{- end -}}

{{/*
Cluster role rules defined by plugins
*/}}
{{- define "vcluster.plugin.clusterRoleExtraRules" -}}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.clusterRole }}
{{- if $container.rbac.clusterRole.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.clusterRole.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Role rules defined by plugins
*/}}
{{- define "vcluster.plugin.roleExtraRules" -}}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
31 changes: 18 additions & 13 deletions charts/eks/templates/rbac/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.rbac.clusterRole.create }}
{{- if or (not (empty (include "vcluster.plugin.clusterRoleExtraRules" . ))) .Values.rbac.clusterRole.create .Values.sync.nodes.enabled .Values.sync.persistentvolumes.enabled .Values.sync.storageclasses.enabled .Values.sync.priorityclasses.enabled .Values.sync.volumesnapshots.enabled -}}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand All @@ -9,36 +9,41 @@ metadata:
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
rules:
{{- if or .Values.sync.nodes.enabled .Values.rbac.clusterRole.create }}
- apiGroups: [""]
resources: ["nodes", "nodes/status"]
verbs: ["get", "watch", "list", "update", "patch"]
verbs: ["get", "watch", "list"]
- apiGroups: [""]
resources: ["pods", "nodes/proxy", "nodes/metrics", "nodes/stats"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if or (and .Values.sync.nodes.enabled .Values.sync.nodes.syncNodeChanges) .Values.rbac.clusterRole.create }}
- apiGroups: [""]
resources: ["nodes", "nodes/status"]
verbs: ["update", "patch"]
{{- end }}
{{- if or .Values.sync.persistentvolumes.enabled .Values.rbac.clusterRole.create }}
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
{{- end }}
{{- if or .Values.sync.storageclasses.enabled .Values.rbac.clusterRole.create }}
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["create", "delete", "patch", "update", "get", "watch", "list"]
verbs: ["get", "watch", "list"]
{{- end }}
{{- if or .Values.sync.priorityclasses.enabled .Values.rbac.clusterRole.create }}
- apiGroups: ["scheduling.k8s.io"]
resources: ["priorityclasses"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if or .Values.sync.volumesnapshots.enabled .Values.rbac.clusterRole.create }}
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.clusterRole }}
{{- if $container.rbac.clusterRole.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.clusterRole.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- include "vcluster.plugin.clusterRoleExtraRules" . | indent 2 }}
{{- end }}
2 changes: 1 addition & 1 deletion charts/eks/templates/rbac/clusterrolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if .Values.rbac.clusterRole.create }}
{{- if or (not (empty (include "vcluster.plugin.clusterRoleExtraRules" . ))) .Values.rbac.clusterRole.create .Values.sync.nodes.enabled .Values.sync.persistentvolumes.enabled .Values.sync.storageclasses.enabled .Values.sync.priorityclasses.enabled .Values.sync.volumesnapshots.enabled -}}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
Expand Down
26 changes: 14 additions & 12 deletions charts/eks/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,28 +22,30 @@ rules:
- apiGroups: ["apps"]
resources: ["statefulsets", "replicasets", "deployments"]
verbs: ["get", "list", "watch"]
{{- if .Values.rbac.role.extended }}
{{- if or .Values.sync.networkpolicies.enabled .Values.rbac.role.extended }}
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if or .Values.sync.volumesnapshots.enabled .Values.rbac.role.extended }}
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if or .Values.sync.serviceaccounts.enabled .Values.rbac.role.extended }}
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if or .Values.sync.poddisruptionbudgets.enabled .Values.rbac.role.extended }}
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "delete", "patch", "update", "get", "list", "watch"]
{{- end }}
{{- if .Values.openshift.enable }}
- apiGroups: [""]
resources: ["endpoints/restricted"]
verbs: ["create"]
{{- end }}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
{{- end }}
7 changes: 7 additions & 0 deletions charts/eks/templates/syncer-deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,13 @@ spec:
{{- if .Values.ingress.enabled }}
- --tls-san={{ .Values.ingress.host }}
{{- end }}
{{- include "vcluster.syncer.syncArgs" . | indent 10 -}}
{{- if .Values.sync.nodes.syncAllNodes }}
- --sync-all-nodes
{{- end }}
{{- if .Values.sync.nodes.nodeSelector }}
- --node-selector={{ .Values.sync.nodes.nodeSelector }}
{{- end }}
{{- range $f := .Values.syncer.extraArgs }}
- {{ $f | quote }}
{{- end }}
Expand Down
65 changes: 61 additions & 4 deletions charts/eks/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,58 @@ plugin: {}
# role:
# extraRules: ...

# Resource syncers that should be enabled/disabled.
# Enabling syncers will impact RBAC Role and ClusterRole permissions.
# To disable a syncer set "enabled: false".
# See docs for details - https://www.vcluster.com/docs/architecture/synced-resources
sync:
services:
enabled: true
configmaps:
enabled: true
secrets:
enabled: true
endpoints:
enabled: true
pods:
enabled: true
events:
enabled: true
persistentvolumeclaims:
enabled: true
ingresses:
enabled: true
fake-nodes:
enabled: true # will be ignored if nodes.enabled = true
fake-persistentvolumes:
enabled: true # will be ignored if persistentvolumes.enabled = true
nodes:
enabled: false
# If nodes sync is enabled, and syncAllNodes = true, the virtual cluster
# will sync all nodes instead of only the ones where some pods are running.
syncAllNodes: false
# nodeSelector is used to limit which nodes get synced to the vcluster,
# and which nodes are used to run vcluster pods.
# A valid string representation of a label selector must be used.
nodeSelector: ""
# syncNodeChanges allows vcluster user edits of the nodes to be synced down to the host nodes.
# Write permissions on node resource will be given to the vcluster.
syncNodeChanges: false
persistentvolumes:
enabled: false
storageclasses:
enabled: false
priorityclasses:
enabled: false
networkpolicies:
enabled: false
volumesnapshots:
enabled: false
poddisruptionbudgets:
enabled: false
serviceaccounts:
enabled: false

# Syncer configuration
syncer:
# Image to use for the syncer
Expand Down Expand Up @@ -145,13 +197,18 @@ serviceAccount:
# Roles & ClusterRoles for the vcluster
rbac:
clusterRole:
# Enable this to let the vcluster sync
# real nodes, storage classes and priority classes
# Deprecated !
# Necessary cluster roles are created based on the enabled syncers (.sync.*.enabled)
# Support for this value will be removed in a future version of the vcluster
create: false
role:
# This is required for basic functionality of vcluster
# Deprecated !
# Support for this value will be removed in a future version of the vcluster
# and basic role will always be created
create: true
# Extended role permissions are required for some optional features, e.g. Networkpolicy sync
# Deprecated !
# Necessary extended roles are created based on the enabled syncers (.sync.*.enabled)
# Support for this value will be removed in a future version of the vcluster
extended: false

# Service configurations
Expand Down
17 changes: 17 additions & 0 deletions charts/k0s/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,4 +90,21 @@ Cluster role rules defined by plugins
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Role rules defined by plugins
*/}}
{{- define "vcluster.plugin.roleExtraRules" -}}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
12 changes: 1 addition & 11 deletions charts/k0s/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,5 @@ rules:
resources: ["endpoints/restricted"]
verbs: ["create"]
{{- end }}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
{{- end }}
17 changes: 17 additions & 0 deletions charts/k3s/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,4 +90,21 @@ Cluster role rules defined by plugins
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Role rules defined by plugins
*/}}
{{- define "vcluster.plugin.roleExtraRules" -}}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
12 changes: 1 addition & 11 deletions charts/k3s/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,5 @@ rules:
resources: ["endpoints/restricted"]
verbs: ["create"]
{{- end }}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
{{- end }}
17 changes: 17 additions & 0 deletions charts/k8s/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,4 +90,21 @@ Cluster role rules defined by plugins
{{- end }}
{{- end }}
{{- end }}
{{- end -}}

{{/*
Role rules defined by plugins
*/}}
{{- define "vcluster.plugin.roleExtraRules" -}}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end -}}
12 changes: 1 addition & 11 deletions charts/k8s/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,15 +47,5 @@ rules:
resources: ["endpoints/restricted"]
verbs: ["create"]
{{- end }}
{{- range $key, $container := .Values.plugin }}
{{- if $container.rbac }}
{{- if $container.rbac.role }}
{{- if $container.rbac.role.extraRules }}
{{- range $ruleIndex, $rule := $container.rbac.role.extraRules }}
- {{ toJson $rule }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
{{- include "vcluster.plugin.roleExtraRules" . | indent 2 }}
{{- end }}

0 comments on commit 8c89bf3

Please sign in to comment.