feat(http-addon): narrow permissions (#398)

http-add-on/templates/deployment-interceptor.yaml

@@ -41,7 +41,7 @@ spec:
     spec:
       imagePullSecrets: 
         {{- toYaml .Values.interceptor.imagePullSecrets | nindent 8 }}
-      serviceAccountName: {{ .Chart.Name }}
+      serviceAccountName: {{ .Chart.Name }}-interceptor
       containers:
       - args:
         image: "{{ .Values.images.interceptor }}:{{ .Values.images.tag | default .Chart.AppVersion }}"

http-add-on/templates/deployment-scaler.yaml

@@ -41,7 +41,7 @@ spec:
     spec:
       imagePullSecrets: 
         {{- toYaml .Values.scaler.imagePullSecrets | nindent 8 }}
-      serviceAccountName: {{ .Chart.Name }}
+      serviceAccountName: {{ .Chart.Name }}-external-scaler
       containers:
       - args:
         image: "{{ .Values.images.scaler }}:{{ .Values.images.tag | default .Chart.AppVersion }}"

http-add-on/templates/rbac-interceptor.yml

@@ -0,0 +1,84 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-interceptor
+    app.kubernetes.io/name: {{ .Chart.Name }}-interceptor
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-interceptor
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-interceptor
+    app.kubernetes.io/name: {{ .Chart.Name }}-interceptor
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-interceptor
+rules:
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-interceptor
+    app.kubernetes.io/name: {{ .Chart.Name }}-interceptor
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-interceptor
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Chart.Name }}-interceptor
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-interceptor
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-interceptor
+    app.kubernetes.io/name: {{ .Chart.Name }}-interceptor
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-interceptor
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-interceptor
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-interceptor
+  namespace: {{ .Release.Namespace }}

http-add-on/templates/rbac.yml → http-add-on/templates/rbac-operator.yml

@@ -16,47 +16,20 @@ rules:
   resources:
   - configmaps
   verbs:
-  - '*'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  creationTimestamp: null
-  labels:
-    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
-    keda.sh/addon: {{ .Chart.Name }}
-    app: {{ .Chart.Name }}
-    name: {{ .Chart.Name }}-role
-    app.kubernetes.io/name: {{ .Chart.Name }}-role
-    {{- include "keda-addons-http.labels" . | indent 4 }}
-  name: {{ .Chart.Name }}-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - configmaps/status
-  - endpoint
-  - endpoints
-  - events
-  - pods
-  - services
-  verbs:
   - create
   - delete
   - get
   - list
+  - patch
+  - update
   - watch
 - apiGroups:
-  - apps
+  - ""
   resources:
-  - deployments
+  - events
   verbs:
   - create
-  - delete
-  - get
-  - list
-  - watch
+  - patch
 - apiGroups:
   - coordination.k8s.io
   resources:
@@ -66,7 +39,23 @@ rules:
   - delete
   - get
   - list
+  - patch
   - update
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-role
+    app.kubernetes.io/name: {{ .Chart.Name }}-role
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-role
+rules:
 - apiGroups:
   - http.keda.sh
   resources:
@@ -79,6 +68,12 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - http.keda.sh
+  resources:
+  - httpscaledobjects/finalizers
+  verbs:
+  - update
 - apiGroups:
   - http.keda.sh
   resources:
@@ -99,16 +94,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - networking
-  resources:
-  - ingresses
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole

http-add-on/templates/rbac-scaler.yml

@@ -0,0 +1,92 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-external-scaler
+    app.kubernetes.io/name: {{ .Chart.Name }}-external-scaler
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-external-scaler
+  namespace: {{ .Release.Namespace }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-external-scaler
+    app.kubernetes.io/name: {{ .Chart.Name }}-external-scaler
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-external-scaler
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-external-scaler
+    app.kubernetes.io/name: {{ .Chart.Name }}-external-scaler
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-external-scaler
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Chart.Name }}-external-scaler
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-external-scaler
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-external-scaler
+    app.kubernetes.io/name: {{ .Chart.Name }}-external-scaler
+    {{- include "keda-addons-http.labels" . | indent 4 }}
+  name: {{ .Chart.Name }}-external-scaler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-external-scaler
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-external-scaler
+  namespace: {{ .Release.Namespace }}

http-add-on/templates/serviceaccount-interceptor.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    control-plane: interceptor
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-interceptor
+    app.kubernetes.io/name: {{ .Chart.Name }}-interceptor
+    app.kubernetes.io/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    app.kubernetes.io/component: interceptor
+    app.kubernetes.io/part-of: {{ .Chart.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{ tpl .Values.additionalLabels . | indent 4}}
+  name: {{ .Chart.Name }}-interceptor
+  namespace: {{ .Release.Namespace }}

http-add-on/templates/serviceaccount-scaler.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    control-plane: external-scaler
+    httpscaledobjects.http.keda.sh/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    keda.sh/addon: {{ .Chart.Name }}
+    app: {{ .Chart.Name }}
+    name: {{ .Chart.Name }}-external-scaler
+    app.kubernetes.io/name: {{ .Chart.Name }}-external-scaler
+    app.kubernetes.io/version: {{ .Values.images.tag | default .Chart.AppVersion }}
+    app.kubernetes.io/component: external-scaler
+    app.kubernetes.io/part-of: {{ .Chart.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    {{ tpl .Values.additionalLabels . | indent 4}}
+  name: {{ .Chart.Name }}-external-scaler
+  namespace: {{ .Release.Namespace }}