feat: ✨ rework namespaced RBAC with disableClusterScopeResources

traefik · Aug 13, 2024 · 5b54cf7 · 5b54cf7
1 parent 93d1717
commit 5b54cf7
Show file tree

Hide file tree

Showing 11 changed files with 135 additions and 664 deletions.
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 IMAGE_CHART_TESTING=quay.io/helmpack/chart-testing:v3.11.0
 IMAGE_HELM_CHANGELOG=ghcr.io/traefik/helm-changelog:v0.3.0
 IMAGE_HELM_DOCS=jnorwood/helm-docs:v1.14.2
-IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.15.3-0.5.1
+IMAGE_HELM_UNITTEST=docker.io/helmunittest/helm-unittest:3.15.3-0.5.2
 
 traefik/tests/__snapshot__:
 	@mkdir traefik/tests/__snapshot__

diff --git a/traefik/templates/_podtemplate.tpl b/traefik/templates/_podtemplate.tpl
@@ -1,4 +1,5 @@
 {{- define "traefik.podTemplate" }}
+  {{- $version := include "imageVersion" $ }}
     metadata:
       annotations:
       {{- if .Values.deployment.podAnnotations }}
@@ -463,6 +464,9 @@
            {{- end }}
            {{- if .Values.providers.kubernetesCRD.allowEmptyServices }}
           - "--providers.kubernetescrd.allowEmptyServices=true"
+           {{- end }}
+           {{- if and .Values.rbac.namespaced (semverCompare ">=3.1.2-0" $version) }}
+          - "--providers.kubernetescrd.disableClusterScopeResources=true"
            {{- end }}
            {{- if .Values.providers.kubernetesCRD.nativeLBByDefault }}
           - "--providers.kubernetescrd.nativeLBByDefault=true"
@@ -485,8 +489,12 @@
            {{- if .Values.providers.kubernetesIngress.ingressClass }}
           - "--providers.kubernetesingress.ingressClass={{ .Values.providers.kubernetesIngress.ingressClass }}"
            {{- end }}
-           {{- if .Values.providers.kubernetesIngress.disableIngressClassLookup }}
+           {{- if .Values.rbac.namespaced }}
+            {{- if semverCompare "<3.1.2-0" $version }}
           - "--providers.kubernetesingress.disableIngressClassLookup=true"
+            {{- else }}
+          - "--providers.kubernetesingress.disableClusterScopeResources=true"
+            {{- end }}
            {{- end }}
            {{- if .Values.providers.kubernetesIngress.nativeLBByDefault }}
           - "--providers.kubernetesingress.nativeLBByDefault=true"

diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -1,11 +1,5 @@
 {{- $version := include "imageVersion" $ }}
-{{- if .Values.rbac.enabled }}
-{{- if or
-       (semverCompare ">=v3.1.0-0" $version)
-       (.Values.providers.kubernetesGateway.enabled)
-       (not .Values.rbac.namespaced)
-       (and .Values.rbac.namespaced .Values.providers.kubernetesIngress.enabled (not .Values.providers.kubernetesIngress.disableIngressClassLookup))
-}}
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -27,42 +21,6 @@ rules:
       - list
       - watch
   {{- end }}
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingressclasses
-  {{- if not .Values.rbac.namespaced }}
-      - ingresses
-  {{- end }}
-    verbs:
-      - get
-      - list
-      - watch
-  {{- if (.Values.providers.kubernetesGateway).enabled }}
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses/status
-    verbs:
-      - update
-  {{- end }}
- {{- if not .Values.rbac.namespaced }}
   {{- if (semverCompare "<v3.1.0-0" $version) }}
   - apiGroups:
       - ""
@@ -117,7 +75,27 @@ rules:
       - delete
       - deletecollection
     {{- end }}
+  {{- if .Values.podSecurityPolicy.enabled }}
+  - apiGroups:
+      - policy
+    resourceNames:
+      - {{ template "traefik.fullname" . }}
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+  {{- end -}}
   {{- if .Values.providers.kubernetesIngress.enabled }}
+  - apiGroups:
+      - extensions
+      - networking.k8s.io
+    resources:
+      - ingressclasses
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
   - apiGroups:
       - extensions
       - networking.k8s.io
@@ -145,25 +123,16 @@ rules:
       - list
       - watch
   {{- end -}}
-  {{- if .Values.podSecurityPolicy.enabled }}
-  - apiGroups:
-      - policy
-    resourceNames:
-      - {{ template "traefik.fullname" . }}
-    resources:
-      - podsecuritypolicies
-    verbs:
-      - use
-  {{- end -}}
-  {{- if .Values.providers.kubernetesGateway.enabled }}
+  {{- if (.Values.providers.kubernetesGateway).enabled }}
   - apiGroups:
       - ""
     resources:
-      - services
+      - namespaces
     {{- if (semverCompare "<v3.1.0-0" $version) }}
       - endpoints
     {{- end }}
       - secrets
+      - services
     verbs:
       - get
       - list
@@ -180,6 +149,7 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      - gatewayclasses
       - gateways
       - httproutes
       - referencegrants
@@ -192,6 +162,7 @@ rules:
   - apiGroups:
       - gateway.networking.k8s.io
     resources:
+      - gatewayclasses/status
       - gateways/status
       - httproutes/status
       - tcproutes/status
@@ -213,18 +184,16 @@ rules:
       - patch
       - delete
   {{- end }}
-{{- /* not .Values.rbac.namespace */}}
-{{- end }}
-{{- if .Values.hub.token }}
-   {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
+  {{- if .Values.hub.token }}
+    {{- if or (semverCompare ">=v3.1.0-0" $version) .Values.hub.apimanagement.enabled }}
   - apiGroups:
       - ""
     resources:
       - endpoints
     verbs:
       - list
       - watch
-   {{- end }}
+    {{- end }}
   - apiGroups:
       - ""
     resources:
@@ -238,7 +207,7 @@ rules:
     {{- if .Values.hub.apimanagement.enabled }}
       - watch
     {{- end }}
-  {{- if .Values.hub.apimanagement.enabled }}
+    {{- if .Values.hub.apimanagement.enabled }}
   - apiGroups:
       - hub.traefik.io
     resources:
@@ -271,16 +240,15 @@ rules:
       - get
       - list
       - watch
-    {{- if (semverCompare "<v3.1.0-0" $version) }}
+      {{- if (semverCompare "<v3.1.0-0" $version) }}
   - apiGroups:
       - ""
     resources:
       - nodes
     verbs:
       - list
       - watch
+      {{- end -}}
     {{- end -}}
-  {{- end -}}
-{{- end }}
-{{- end }}
+  {{- end }}
 {{- end }}
diff --git a/traefik/templates/rbac/clusterrolebinding.yaml b/traefik/templates/rbac/clusterrolebinding.yaml
@@ -1,10 +1,4 @@
-{{- $version := include "imageVersion" $ }}
-{{- if .Values.rbac.enabled }}
-{{- if or
-       (semverCompare ">=v3.1.0-0" $version)
-       (not .Values.rbac.namespaced)
-       (and .Values.rbac.namespaced .Values.providers.kubernetesIngress.enabled (not .Values.providers.kubernetesIngress.disableIngressClassLookup))
-}}
+{{- if and .Values.rbac.enabled (not .Values.rbac.namespaced) }}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@@ -21,4 +15,3 @@ subjects:
     name: {{ include "traefik.serviceAccountName" . }}
     namespace: {{ template "traefik.namespace" . }}
 {{- end -}}
-{{- end -}}
diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
@@ -1,8 +1,7 @@
 {{- $version := include "imageVersion" $ }}
 {{- $ingressNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesIngress.namespaces -}}
 {{- $CRDNamespaces := concat (include "traefik.namespace" . | list) .Values.providers.kubernetesCRD.namespaces -}}
-{{- $gatewayNamespaces := concat (include "traefik.namespace" . | list) ((.Values.providers.kubernetesGateway).namespaces) -}}
-{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces $gatewayNamespaces)) -}}
+{{- $allNamespaces := sortAlpha (uniq (concat $ingressNamespaces $CRDNamespaces)) -}}
 
 {{- if and .Values.rbac.enabled .Values.rbac.namespaced -}}
 {{- range $allNamespaces }}
@@ -107,30 +106,6 @@ rules:
     verbs:
       - use
 {{- end -}}
-{{- if (and (has . $gatewayNamespaces) ($.Values.providers.kubernetesGateway).enabled) }}
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gateways
-      - httproutes
-      - referencegrants
-      - tcproutes
-      - tlsroutes
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - gateway.networking.k8s.io
-    resources:
-      - gatewayclasses/status
-      - gateways/status
-      - httproutes/status
-      - tcproutes/status
-      - tlsroutes/status
-    verbs:
-      - update
-{{- end -}}
 {{- if $.Values.hub.token }}
   - apiGroups:
       - ""

diff --git a/traefik/templates/requirements.yaml b/traefik/templates/requirements.yaml
@@ -18,3 +18,12 @@
     {{- fail "ERROR: Currently Traefik Hub doesn't support namespaced RBACs" -}}
   {{- end }}
 {{- end }}
+
+{{- if .Values.rbac.namespaced }}
+  {{- if .Values.providers.kubernetesGateway.enabled }}
+    {{- fail "ERROR: Kubernetes Gateway provider requires ClusterRole. RBAC cannot be namespaced." }}
+  {{- end }}
+  {{- if and (not .Values.providers.kubernetesIngress.enabled) (not .Values.providers.kubernetesCRD.enabled) }}
+    {{- fail "ERROR: namespaced rbac requires Kubernetes CRD or Kubernetes Ingress provider." }}
+  {{- end }}
+{{- end }}
diff --git a/traefik/tests/common-metadata_test.yaml b/traefik/tests/common-metadata_test.yaml
@@ -1,4 +1,4 @@
-suite: Resources contains metadata
+suite: resources contains metadata
 templates:
   - ingressroute.yaml
   - deployment.yaml
@@ -16,31 +16,28 @@ templates:
   - rbac/clusterrole.yaml
   - rbac/clusterrolebinding.yaml
   - rbac/podsecuritypolicy.yaml
-  - rbac/role.yaml
-  - rbac/rolebinding.yaml
   - rbac/serviceaccount.yaml
 
 tests:
-  - it: "should contains labels metadata"
+  - it: "should contains labels metadata with cluster rbac"
     set:
-      providers.kubernetesGateway.enabled: true
-      ingressRoute.dashboard.enabled: true
-      ingressRoute.healthcheck.enabled: true
       autoscaling.enabled: true
       autoscaling.maxReplicas: 10
+      ingressRoute.dashboard.enabled: true
+      ingressRoute.healthcheck.enabled: true
+      persistence.enabled: true
       podDisruptionBudget.enabled: true
+      podSecurityPolicy.enabled: true
+      providers.kubernetesGateway.enabled: true
       metrics.prometheus.prometheusRule.enabled: true
       metrics.prometheus.prometheusRule.namespace: test
       metrics.prometheus.serviceMonitor.enabled: true
       metrics.prometheus.serviceMonitor.namespace: test
       metrics.prometheus.service.enabled: true
+      rbac.enabled: true
       service.internal.a: {}
-      persistence.enabled: true
-      tlsStore.a: {}
       tlsOptions.a: {}
-      podSecurityPolicy.enabled: true
-      rbac.enabled: true
-      rbac.namespaced: true
+      tlsStore.a: {}
       commonLabels:
         globalLabel: isConfigured
     capabilities: