feat: customizable RBAC templates#563
Conversation
…source rules (closes yonahd#561)
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #563 +/- ##
=======================================
Coverage 46.56% 46.56%
=======================================
Files 69 69
Lines 3930 3930
=======================================
Hits 1830 1830
Misses 1794 1794
Partials 306 306 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
@sleeyax To generate the Readme |
sleeyax
force-pushed
the
feat/role-customizations
branch
from
f3d34c7 to
456de62
Compare
done. |
|
@sleeyax can you fix the chart and pull the namespacing code to a separate pr? |
|
@yonahd Sure. I'll pick this back up next week. |
This commit changes from flat list configs to an array of rules.
sleeyax
force-pushed
the
feat/role-customizations
branch
from
d06a92a to
deaaac5
Compare
There was a problem hiding this comment.
Pull request overview
This pull request refactors the Helm chart's RBAC resource generation to make it more flexible and customizable. It addresses issue #561, which requested the ability to customize ClusterRole resources for permission-limited clusters.
Changes:
- Adds configurable RBAC generation with
rbac.createfield supporting multiple modes (true/false/"role"/"clusterrole") - Introduces customizable
rbac.rulesarray allowing users to define their own RBAC permissions - Replaces hardcoded RBAC rules with proper API group to resource mappings, removing the overly permissive wildcard
apiGroups: ["*"]pattern
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| charts/kor/values.yaml | Adds new rbac configuration section with create and rules fields, providing default rules with proper API group mappings for all previously supported resources |
| charts/kor/templates/_helpers.tpl | Adds three helper functions: kor.createRole, kor.createClusterRole for conditional resource creation, and kor.resourceRules for generating RBAC rules from values |
| charts/kor/templates/role.yaml | Refactors to use new helper functions and removes hardcoded rules, making both Role and ClusterRole conditional and rule-customizable |
| charts/kor/templates/rolebinding.yaml | Adds conditional rendering for RoleBinding and ClusterRoleBinding based on whether corresponding Role/ClusterRole are being created |
| charts/kor/Chart.yaml | Bumps chart version from 0.2.13 to 0.2.14 |
| charts/kor/README.md | Updates documentation to reflect new version and adds documentation for new rbac.create and rbac.rules configuration options |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| {{- $create := .Values.rbac.create -}} | ||
| {{- if or (eq (toString $create) "true") (eq $create "role") }}true{{- end }} | ||
| {{- end }} | ||
|
|
||
| {{/* | ||
| Check if ClusterRole should be created | ||
| */}} | ||
| {{- define "kor.createClusterRole" -}} | ||
| {{- $create := .Values.rbac.create -}} | ||
| {{- if or (eq (toString $create) "true") (eq $create "clusterrole") }}true{{- end }} |
There was a problem hiding this comment.
The helper function doesn't handle edge cases where rbac.create is set to an unexpected value (e.g., "ClusterRole" with different casing). Consider normalizing the value using lower to be case-insensitive, or provide validation to handle unexpected values gracefully. Currently, invalid values would silently result in no RBAC resources being created, which could cause the application to fail with permission errors.
| {{- $create := .Values.rbac.create -}} | |
| {{- if or (eq (toString $create) "true") (eq $create "role") }}true{{- end }} | |
| {{- end }} | |
| {{/* | |
| Check if ClusterRole should be created | |
| */}} | |
| {{- define "kor.createClusterRole" -}} | |
| {{- $create := .Values.rbac.create -}} | |
| {{- if or (eq (toString $create) "true") (eq $create "clusterrole") }}true{{- end }} | |
| {{- $create := .Values.rbac.create | toString | lower -}} | |
| {{- if or (eq $create "true") (eq $create "role") }}true{{- end }} | |
| {{- end }} | |
| {{/* | |
| Check if ClusterRole should be created | |
| */}} | |
| {{- define "kor.createClusterRole" -}} | |
| {{- $create := .Values.rbac.create | toString | lower -}} | |
| {{- if or (eq $create "true") (eq $create "clusterrole") }}true{{- end }} |
|
@yonahd Do you actually care about the comments made by copilot? Seems like it's mostly nitpicking on things. Also most of it is no longer relevant now that I implemented your suggestion. I would appreciate a final human review more. |
yonahd
left a comment
yonahd
left a comment
There was a problem hiding this comment.
Looks good to me.
Thanks for the contribution!
|
@sleeyax I'd like to merge. |
You should have push permission to the branch. Otherwise I'll update it in 2 hours or so from now. |
|
@yonahd I just regenerated the README.md. Hopefully the pipeline succeeds now. |
What this PR does / why we need it?
This pull request refactors how RBAC resources are generated in the Helm chart, making the configuration more flexible for consumers of the chart.
See the linked issue for more context. For my use-case I can now install kor in our permission-limited cluster with the following config:
$ helm upgrade --install kor-test helm --set kor.enabled=true --set "kor.cronJob.args={pvc\,secret,--delete,--no-interactive,--include-namespaces=development,--skip-namespace-validation}"PR Checklist
GitHub Issue
Closes #561
Notes for reviewers
Sorry for the messy commits. Took a bit of trial and error to land on a solution I'm satisfied with. Probably best to squash these changes.