allow deploying helm chart for one namespace with limited permissions (#389)

sami-alajrami · web-flow · commit f25a76f22468 · 2024-12-16T14:17:53.000+01:00
diff --git a/charts/k8s-reporter/Chart.yaml b/charts/k8s-reporter/Chart.yaml
@@ -15,10 +15,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.5.1
+version: 1.6.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2.10.13"
+appVersion: "2.11.3"
diff --git a/charts/k8s-reporter/README.md b/charts/k8s-reporter/README.md
@@ -4,7 +4,7 @@ title: Kubernetes Reporter Helm Chart
 
 # k8s-reporter
 
-![Version: 1.5.1](https://img.shields.io/badge/Version-1.5.1-informational?style=flat-square)
+![Version: 1.6.0](https://img.shields.io/badge/Version-1.6.0-informational?style=flat-square)
 
 A Helm chart for installing the Kosli K8S reporter as a cronjob.
 The chart allows you to create a Kubernetes cronjob and all its necessary RBAC to report running images to Kosli at a given cron schedule.
@@ -13,30 +13,66 @@ The chart allows you to create a Kubernetes cronjob and all its necessary RBAC t
 
 - A Kubernetes cluster (minimum supported version is `v1.21`)
 - Helm v3.0+
-- Create a secret for the Kosli API token which will be used for reporting. You can create a secret by running: `kubectl create secret generic <secret-name> --from-literal=<secret-key>=<your-api-key>`
+- If you want to report artifacts from just one namespace, you need to have permissions to `get` and `list` pods in that namespace.
+- If you want to report artifacts from multiple namespaces or entire cluster, you need to have cluster-wide permissions to `get` and `list` pods.
 
 ## Installing the chart
 
 To install this chart via the Helm chart repository:
 
-```shell
-helm repo add kosli https://charts.kosli.com/
-helm repo update
-helm install [RELEASE-NAME] kosli/k8s-reporter -f [VALUES-FILE-PATH]
+1. Add the Kosli helm repo
+```shell {.command}
+helm repo add kosli https://charts.kosli.com/ && helm repo update
+```
+
+2. Create a secret for the Kosli API token
+```shell {.command}
+kubectl create secret generic kosli-api-token --from-literal=key=<your-api-key>
+```
+
+3. Install the helm chart
+
+A. To report artifacts running in entire cluster (requires cluster-wide read permissions):
+
+```shell {.command}
+helm install kosli-reporter kosli/k8s-reporter \
+    --set reporterConfig.kosliOrg=<your-org> \
+    --set reporterConfig.kosliEnvironmentName=<your-env-name>
+```
+
+B. To report artifacts running in multiple namespaces (requires cluster-wide read permissions):
+
+```shell {.command}
+helm install kosli-reporter kosli/k8s-reporter \
+    --set reporterConfig.kosliOrg=<your-org> \
+    --set reporterConfig.kosliEnvironmentName=<your-env-name> \
+    --set reporterConfig.namespaces=<namespace1,namespace2>
+```
+
+C. To report artifacts running in one namespace (requires namespace-scoped read permissions):
+
+```shell {.command}
+helm install kosli-reporter kosli/k8s-reporter \
+    --set reporterConfig.kosliOrg=<your-org> \
+    --set reporterConfig.kosliEnvironmentName=<your-env-name> \
+    --set reporterConfig.namespaces=<namespace1> \
+    --set serviceAccount.permissionScope=namespace
 ```
 
 > Chart source can be found at https://github.com/kosli-dev/cli/tree/main/charts/k8s-reporter
 
+> See all available [configuration options](#configurations) below.
+
 ## Upgrading the chart
 
-```shell
-helm upgrade [RELEASE-NAME] kosli/k8s-reporter
+```shell {.command}
+helm upgrade kosli-reporter kosli/k8s-reporter ...
 ```
 
 ## Uninstalling chart
 
-```shell
-helm uninstall [RELEASE-NAME]
+```shell {.command}
+helm uninstall kosli-reporter
 ```
 
 ## Configurations
@@ -46,23 +82,24 @@ helm uninstall [RELEASE-NAME]
 | fullnameOverride | string | `""` | overrides the fullname used for the created k8s resources. It has higher precedence than `nameOverride` |
 | image.pullPolicy | string | `"IfNotPresent"` | the kosli reporter image pull policy |
 | image.repository | string | `"ghcr.io/kosli-dev/cli"` | the kosli reporter image repository |
-| image.tag | string | `"v2.10.13"` | the kosli reporter image tag, overrides the image tag whose default is the chart appVersion. |
+| image.tag | string | `"v2.11.3"` | the kosli reporter image tag, overrides the image tag whose default is the chart appVersion. |
 | kosliApiToken.secretKey | string | `"key"` | the name of the key in the secret data which contains the Kosli API token |
 | kosliApiToken.secretName | string | `"kosli-api-token"` | the name of the secret containing the kosli API token |
 | nameOverride | string | `""` | overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one |
-| podAnnotations | object | `{}` |  |
+| podAnnotations | object | `{}` | any custom annotations to be added to the cronjob |
 | reporterConfig.dryRun | bool | `false` | whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli. |
 | reporterConfig.httpProxy | string | `""` | the http proxy url |
 | reporterConfig.kosliEnvironmentName | string | `""` | the name of Kosli environment that the k8s cluster/namespace correlates to |
 | reporterConfig.kosliOrg | string | `""` | the name of the Kosli org |
-| reporterConfig.namespaces | string | `""` | the namespaces which represent the environment. It is a comma separated list of namespace name regex patterns. e.g. `^prod$,^dev-*` reports for the `prod` namespace and any namespace that starts with `dev-` leave this unset if you want to report what is running in the entire cluster |
+| reporterConfig.namespaces | string | `""` | the namespaces which represent the environment. It is a comma separated list of namespace names. leave this unset if you want to report what is running in the entire cluster |
 | resources.limits.cpu | string | `"100m"` | the cpu limit |
 | resources.limits.memory | string | `"256Mi"` | the memory limit |
 | resources.requests.memory | string | `"64Mi"` | the memory request |
 | serviceAccount.annotations | object | `{}` | annotations to add to the service account |
 | serviceAccount.create | bool | `true` | specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | the name of the service account to use. If not set and create is true, a name is generated using the fullname template |
+| serviceAccount.permissionScope | string | `"cluster"` | specifies whether to create a cluster-wide permissions for the service account or namespace-scoped permissions. allowed values are: [cluster, namespace] |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)
+Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0)
 
diff --git a/charts/k8s-reporter/_templates.gotmpl b/charts/k8s-reporter/_templates.gotmpl
@@ -7,36 +7,73 @@ The chart allows you to create a Kubernetes cronjob and all its necessary RBAC t
 
 - A Kubernetes cluster (minimum supported version is `v1.21`)
 - Helm v3.0+
-- Create a secret for the Kosli API token which will be used for reporting. You can create a secret by running: `kubectl create secret generic <secret-name> --from-literal=<secret-key>=<your-api-key>`
+- If you want to report artifacts from just one namespace, you need to have permissions to `get` and `list` pods in that namespace.
+- If you want to report artifacts from multiple namespaces or entire cluster, you need to have cluster-wide permissions to `get` and `list` pods.
 {{- end }}
 
 {{ define "extra.install" -}}
 ## Installing the chart
 
 To install this chart via the Helm chart repository:
 
-```shell 
-helm repo add kosli https://charts.kosli.com/
-helm repo update
-helm install [RELEASE-NAME] kosli/k8s-reporter -f [VALUES-FILE-PATH]
+1. Add the Kosli helm repo
+```shell {.command}
+helm repo add kosli https://charts.kosli.com/ && helm repo update
+```
+
+2. Create a secret for the Kosli API token
+```shell {.command}
+kubectl create secret generic kosli-api-token --from-literal=key=<your-api-key>
+```
+
+3. Install the helm chart
+
+A. To report artifacts running in entire cluster (requires cluster-wide read permissions):
+
+```shell {.command}
+helm install kosli-reporter kosli/k8s-reporter \
+    --set reporterConfig.kosliOrg=<your-org> \
+    --set reporterConfig.kosliEnvironmentName=<your-env-name>
+```
+
+B. To report artifacts running in multiple namespaces (requires cluster-wide read permissions):
+
+```shell {.command}
+helm install kosli-reporter kosli/k8s-reporter \
+    --set reporterConfig.kosliOrg=<your-org> \
+    --set reporterConfig.kosliEnvironmentName=<your-env-name> \
+    --set reporterConfig.namespaces=<namespace1,namespace2>
+```
+
+C. To report artifacts running in one namespace (requires namespace-scoped read permissions):
+
+```shell {.command}
+helm install kosli-reporter kosli/k8s-reporter \
+    --set reporterConfig.kosliOrg=<your-org> \
+    --set reporterConfig.kosliEnvironmentName=<your-env-name> \
+    --set reporterConfig.namespaces=<namespace1> \
+    --set serviceAccount.permissionScope=namespace
 ```
 
 > Chart source can be found at https://github.com/kosli-dev/cli/tree/main/charts/k8s-reporter
+
+> See all available [configuration options](#configurations) below.
+
 {{- end }}
 
 {{ define "extra.upgrade" -}}
 ## Upgrading the chart
 
-```shell
-helm upgrade [RELEASE-NAME] kosli/k8s-reporter 
+```shell {.command}
+helm upgrade kosli-reporter kosli/k8s-reporter ...
 ```
 {{- end }}
 
 {{ define "extra.uninstall" -}}
 ## Uninstalling chart
 
-```shell
-helm uninstall [RELEASE-NAME]
+```shell {.command}
+helm uninstall kosli-reporter
 ```
 {{- end }}
 
diff --git a/charts/k8s-reporter/templates/clusterrole.yaml b/charts/k8s-reporter/templates/clusterrole.yaml
@@ -1,3 +1,4 @@
+{{- if and .Values.serviceAccount.create  (eq .Values.serviceAccount.permissionScope "cluster") -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -11,4 +12,5 @@ rules:
   verbs: ["get", "list"]
 - apiGroups: [""]
   resources: ["pods"]
-  verbs: ["get", "list"]
+  verbs: ["get", "list"]
+{{- end }}
diff --git a/charts/k8s-reporter/templates/clusterrolebinding.yaml b/charts/k8s-reporter/templates/clusterrolebinding.yaml
@@ -1,3 +1,4 @@
+{{- if and .Values.serviceAccount.create  (eq .Values.serviceAccount.permissionScope "cluster") -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -12,4 +13,5 @@ subjects:
 roleRef:
   kind: ClusterRole
   name: {{ include "reporter.fullname" . }}
-  apiGroup: rbac.authorization.k8s.io
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/k8s-reporter/templates/role.yaml b/charts/k8s-reporter/templates/role.yaml
@@ -0,0 +1,13 @@
+{{- if and .Values.serviceAccount.create  (eq .Values.serviceAccount.permissionScope "namespace") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "reporter.fullname" . }}
+  labels:
+    {{- include "reporter.labels" . | nindent 4 }}
+
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "list"]
+{{- end }}
diff --git a/charts/k8s-reporter/templates/rolebinding.yaml b/charts/k8s-reporter/templates/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.serviceAccount.create  (eq .Values.serviceAccount.permissionScope "namespace") -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "reporter.fullname" . }}
+  labels:
+    {{- include "reporter.labels" . | nindent 4 }}
+
+subjects:
+- kind: ServiceAccount
+  name: {{ include "reporter.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "reporter.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
diff --git a/charts/k8s-reporter/values.yaml b/charts/k8s-reporter/values.yaml
@@ -8,7 +8,7 @@ image:
   # -- the kosli reporter image pull policy
   pullPolicy: IfNotPresent
   # -- the kosli reporter image tag, overrides the image tag whose default is the chart appVersion.
-  tag: "v2.10.13"
+  tag: "v2.11.3"
 
 # -- overrides the name used for the created k8s resources. If `fullnameOverride` is provided, it has higher precedence than this one
 nameOverride: ""
@@ -18,6 +18,8 @@ fullnameOverride: ""
 serviceAccount:
   # -- specifies whether a service account should be created
   create: true
+  # -- specifies whether to create a cluster-wide permissions for the service account or namespace-scoped permissions. allowed values are: [cluster, namespace]
+  permissionScope: cluster
   # -- annotations to add to the service account
   annotations: {}
   # -- the name of the service account to use.
@@ -39,8 +41,7 @@ reporterConfig:
   # -- the name of Kosli environment that the k8s cluster/namespace correlates to
   kosliEnvironmentName: ""
   # -- the namespaces which represent the environment.
-  # It is a comma separated list of namespace name regex patterns.
-  # e.g. `^prod$,^dev-*` reports for the `prod` namespace and any namespace that starts with `dev-`
+  # It is a comma separated list of namespace names.
   # leave this unset if you want to report what is running in the entire cluster
   namespaces: ""
   # -- whether the dry run mode is enabled or not. In dry run mode, the reporter logs the reports to stdout and does not send them to kosli.
