Skip to content

Commit

Permalink
Add the capability to use RoleBindings instead of ClusterRoleBindings (
Browse files Browse the repository at this point in the history
…#841)

### Description
This PR introduces a new key to the Helm values named `useRoleBindings`
which when set to `true` creates Kubernetes RoleBindings instead of
ClusterRoleBindings

### Issues Resolved
Closes
#831

### Check List
- [x] Commits are signed per the DCO using --signoff 
- [ ] Unittest added for the new/changed functionality and all unit
tests are successful
- [x] Customer-visible features documented
- [ ] No linter warnings (`make lint`)

If CRDs are changed:
- [ ] CRD YAMLs updated (`make manifests`) and also copied into the helm
chart
- [ ] Changes to CRDs documented

Please refer to the [PR
guidelines](https://github.com/opensearch-project/opensearch-k8s-operator/blob/main/docs/developing.md#submitting-a-pr)
before submitting this pull request.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and
signing off your commits, please check
[here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

---------

Signed-off-by: Nilushan Costa <[email protected]>
Signed-off-by: Nilushan Costa <[email protected]>
Co-authored-by: Sebastian Woehrl <[email protected]>
  • Loading branch information
nilushancosta and swoehrl-mw authored Oct 29, 2024
1 parent c9e7f11 commit a6de94c
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 24 deletions.

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{{- if .Values.useRoleBindings }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-manager-role
subjects:
- kind: ServiceAccount
name: {{ include "opensearch-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-manager-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-manager-role
subjects:
- kind: ServiceAccount
name: {{ include "opensearch-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
{{- if .Values.useRoleBindings }}
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-role
subjects:
- kind: ServiceAccount
name: {{ include "opensearch-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- else }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "opensearch-operator.fullname" . }}-{{ .Release.Namespace }}-proxy-role
subjects:
- kind: ServiceAccount
name: {{ include "opensearch-operator.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
6 changes: 6 additions & 0 deletions charts/opensearch-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -115,3 +115,9 @@ kubeRbacProxy:
image:
repository: "gcr.io/kubebuilder/kube-rbac-proxy"
tag: "v0.15.0"

## If this is set to true, RoleBindings will be used instead of ClusterRoleBindings, inorder to restrict ClusterRoles
## to the namespace where the operator and OpenSearch cluster are in. In that case, specify the namespace where they
## are in in manager.watchNamespace field.
## If false, ClusterRoleBindings will be used
useRoleBindings: false

0 comments on commit a6de94c

Please sign in to comment.