rbac: Add back some necessary rights

Signed-off-by: Jirka Kremser <[email protected]>
kedacore · Apr 9, 2024 · c718b76 · c718b76
1 parent 3a08e33
commit c718b76
Show file tree

Hide file tree

Showing 7 changed files with 134 additions and 109 deletions.
diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml
@@ -36,10 +36,15 @@ rules:
   resources:    
   - secrets
   verbs:
-  - get
   - list
   - watch
   {{- with .Values.permissions.operator.restrict.namesAllowList }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
   resourceNames: {{ toYaml . | nindent 4 }}
   {{- end }}
 {{- end }}
@@ -72,28 +77,6 @@ rules:
   {{- end }}   
 {{- end }}
 {{- end }}
-{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - validatingwebhookconfigurations
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
-- apiGroups:
-  - apiregistration.k8s.io
-  resources:
-  - apiservices
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
-{{- end }}
 - apiGroups:
   - apps
   resources:

diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml
@@ -85,6 +85,9 @@ spec:
           - "--zap-log-level={{ .Values.logging.operator.level }}"
           - "--zap-encoder={{ .Values.logging.operator.format }}"
           - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}"
+          {{- if .Values.logging.operator.stackTracesEnabled }}
+          - "--zap-stacktrace-level=error"
+          {{- end }}
           - "--cert-dir={{ .Values.certificates.mountPath }}"
           - "--enable-cert-rotation={{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}"          
           - "--cert-secret-name={{ .Values.certificates.secretName }}"

diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml
@@ -0,0 +1,119 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  {{- with .Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.operator.name }}-certs
+    {{- include "keda.labels" . | indent 4 }}
+  name: {{ .Values.operator.name }}-certs
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - '*'
+{{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - 'get'
+  resourceNames:
+  - {{ .Values.certificates.secretName | quote }}
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - 'create'
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  {{- with .Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.operator.name }}-certs
+    {{- include "keda.labels" . | indent 4 }}
+  name: {{ .Values.operator.name }}-certs
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Values.operator.name }}-certs
+subjects:
+- kind: ServiceAccount
+  name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  {{- with .Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.operator.name }}-minimal-cluster-role
+    {{- include "keda.labels" . | indent 4 }}
+  name: {{ .Values.operator.name }}-minimal-cluster-role
+rules:
+- apiGroups:
+  - keda.sh
+  resources:
+  - clustertriggerauthentications
+  verbs:
+  - '*'
+{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - validatingwebhookconfigurations
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apiregistration.k8s.io
+  resources:
+  - apiservices
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  {{- with .Values.additionalAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/name: {{ .Values.operator.name }}-minimal
+    {{- include "keda.labels" . | indent 4 }}
+  name: {{ .Values.operator.name }}-minimal
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.operator.name }}-minimal-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }}
+  namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml
diff --git a/keda/templates/webhooks/clusterrole.yaml b/keda/templates/webhooks/clusterrole.yaml
@@ -17,19 +17,23 @@ rules:
   - horizontalpodautoscalers
   verbs:
   - list
+  - watch
 - apiGroups:
   - keda.sh
   resources:
   - scaledobjects
   verbs:
   - list
+  - watch
 - apiGroups:
   - apps
   resources:
   - deployments
   - statefulsets
   verbs:
   - get
+  - list
+  - watch
 - apiGroups:
   - ""
   resources:

diff --git a/keda/templates/webhooks/clusterrolebindings.yaml b/keda/templates/webhooks/clusterrolebindings.yaml
@@ -1,5 +1,4 @@
 {{- if .Values.rbac.create }}
-{{- if not .Values.watchNamespace }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -19,31 +18,4 @@ subjects:
 - kind: ServiceAccount
   name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }}
   namespace: {{ .Release.Namespace }}
-{{- else }}
-  {{- range ( split "," .Values.watchNamespace ) }}
----
-# Role binding for namespace '{{ . }}'
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  {{- with $.Values.additionalAnnotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    app.kubernetes.io/name: {{ $.Values.operator.name }}
-    {{- include "keda.labels" $ | indent 4 }}
-  name: {{ $.Values.operator.name }}
-  namespace: {{ . | trim }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ $.Values.operator.name }}-webhook
-subjects:
-- kind: ServiceAccount
-  name: {{ ($.Values.serviceAccount.webhooks).name | default $.Values.serviceAccount.name }}
-  namespace: {{ $.Release.Namespace }}
----
-  {{- end }}
-{{- end }}
 {{- end }}
diff --git a/keda/values.yaml b/keda/values.yaml
@@ -382,6 +382,8 @@ logging:
     # -- Logging time encoding for KEDA Operator.
     # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano`
     timeEncoding: rfc3339
+    # -- If enabled, the stack traces will be also printed
+    stackTracesEnabled: false
   metricServer:
     # -- Logging level for Metrics Server.
     # allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string