feat(cloudnative-pg): add user facing roles view and edit

Signed-off-by: Antoine Millet <[email protected]>
cloudnative-pg · Oct 2, 2022 · 3bf90e0 · 3bf90e0
1 parent e615cd6
commit 3bf90e0
Show file tree

Hide file tree

Showing 4 changed files with 57 additions and 0 deletions.
diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md
@@ -39,6 +39,7 @@ CloudNativePG Helm Chart
 | nodeSelector | object | `{}` | Nodeselector for the operator to be installed |
 | podAnnotations | object | `{}` | Annotations to be added to the pod |
 | podSecurityContext | object | `{"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security Context for the whole pod |
+| rbac.aggregateClusterRoles | bool | `true` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |
 | rbac.create | bool | `true` | Specifies whether ClusterRole and ClusterRoleBinding should be created |
 | replicaCount | int | `1` |  |
 | resources | object | `{}` |  |

diff --git a/charts/cloudnative-pg/templates/rbac.yaml b/charts/cloudnative-pg/templates/rbac.yaml
@@ -378,4 +378,54 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "cloudnative-pg.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-view
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "cloudnative-pg.fullname" . }}-edit
+  labels:
+    {{- include "cloudnative-pg.labels" . | nindent 4 }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+rules:
+- apiGroups:
+  - postgresql.cnpg.io
+  resources:
+  - backups
+  - clusters
+  - poolers
+  - scheduledbackups
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
 {{- end }}
diff --git a/charts/cloudnative-pg/values.schema.json b/charts/cloudnative-pg/values.schema.json
@@ -97,6 +97,9 @@
             "properties": {
                 "create": {
                     "type": "boolean"
+                },
+                "aggregateClusterRoles": {
+                    "type": "boolean"
                 }
             }
         },

diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml
@@ -67,6 +67,9 @@ serviceAccount:
 rbac:
   # -- Specifies whether ClusterRole and ClusterRoleBinding should be created
   create: true
+  # -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
+  # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  aggregateClusterRoles: true
 
 # -- Annotations to be added to the pod
 podAnnotations: {}