Skip to content

Commit

Permalink
fix(Gateway API): provide expected roles when using namespaced RBAC
Browse files Browse the repository at this point in the history
  • Loading branch information
@mloiseleur
mloiseleur committed Jul 24, 2024
1 parent a494617 commit abc6310
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 25 deletions.
1 change: 1 addition & 0 deletions traefik/templates/rbac/clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
{{- if .Values.rbac.enabled }}
{{- if or
(semverCompare ">=v3.1.0-0" $version)
(.Values.providers.kubernetesGateway.enabled)
(not .Values.rbac.namespaced)
(and .Values.rbac.namespaced .Values.providers.kubernetesIngress.enabled (not .Values.providers.kubernetesIngress.disableIngressClassLookup))
}}
Expand Down
22 changes: 0 additions & 22 deletions traefik/templates/rbac/role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -108,31 +108,9 @@ rules:
- use
{{- end -}}
{{- if (and (has . $gatewayNamespaces) ($.Values.providers.kubernetesGateway).enabled) }}
- apiGroups:
- ""
resources:
- services
{{- if (semverCompare "<v3.1.0-0" $version) }}
- endpoints
{{- end }}
- secrets
verbs:
- get
- list
- watch
{{- if (semverCompare ">=v3.1.0-0" $version) }}
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
{{- end }}
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- referencegrants
Expand Down
44 changes: 41 additions & 3 deletions traefik/tests/rbac-config_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1005,7 +1005,6 @@ tests:
apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- referencegrants
Expand All @@ -1022,13 +1021,25 @@ tests:
apiGroups:
- ""
resources:
- services
- endpoints
- services
verbs:
- get
- list
- watch
- template: rbac/role.yaml
contains:
path: rules
content:
apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch

- it: should provide expected role rbac when k8s gw api is enabled with rbac namespaced >=v3.1.0
set:
image:
Expand Down Expand Up @@ -1093,7 +1104,6 @@ tests:
apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- httproutes
- referencegrants
Expand All @@ -1111,6 +1121,17 @@ tests:
- ""
resources:
- services
verbs:
- get
- list
- watch
- template: rbac/role.yaml
contains:
path: rules
content:
apiGroups:
- ""
resources:
- secrets
verbs:
- get
Expand Down Expand Up @@ -1352,6 +1373,23 @@ tests:
- template: rbac/clusterrole.yaml
hasDocuments:
count: 0
- it: should provide cluster-wide RBACS for version < v3.1 when rbac are namespaced and gateway is enabled
set:
image:
tag: v3.0.1
rbac:
enabled: true
namespaced: true
providers:
kubernetesIngress:
disableIngressClassLookup: true
kubernetesGateway:
enabled: true
asserts:
- template: rbac/clusterrole.yaml
hasDocuments:
count: 1

- it: should provide nodes RBACS for version >= v3.1 even if rbac are namespaced
set:
image:
Expand Down

0 comments on commit abc6310

Please sign in to comment.