feat(controller): add flag for rbac reflector (#847)

Signed-off-by: Oliver Bähler <[email protected]>

Author: oliverbaehler

charts/capsule-proxy/README.md

@@ -178,7 +178,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | options.certificateVolumeName | string | `""` | Specify an override for the Secret containing the certificate for SSL. Default value is empty and referring to the generated certificate. |
 | options.clientConnectionBurst | int | `30` | Burst to use for interacting with kubernetes API Server. |
 | options.clientConnectionQPS | int | `20` | QPS to use for interacting with Kubernetes API Server. |
-| options.disableCaching | bool | `false` | Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector |
+| options.disableCaching | bool | `false` | Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector. |
 | options.enableSSL | bool | `true` | Specify if capsule-proxy will use SSL |
 | options.extraArgs | list | `[]` | A list of extra arguments to add to the capsule-proxy. |
 | options.generateCertificates | bool | `true` | Specify if capsule-proxy will generate self-signed SSL certificates |
@@ -188,6 +188,7 @@ If you only need to make minor customizations, you can specify them on the comma
 | options.logLevel | int | `4` | Set the log verbosity of the capsule-proxy with a value from 1 to 10 |
 | options.oidcUsernameClaim | string | `"preferred_username"` | Specify if capsule-proxy will use SSL |
 | options.pprof | bool | `false` | Enable Pprof for profiling |
+| options.roleBindingReflector | bool | `false` | Enable the rolebinding reflector, which allows to list the namespaces, where a rolebinding mentions a user. |
 | options.rolebindingsResyncPeriod | string | `"10h"` | Set the role bindings reflector resync period, a local cache to store mappings between users and their namespaces. [Use a lower value in case of flaky etcd server connections.](https://github.com/projectcapsule/capsule-proxy/issues/174) |
 | options.webhookPort | int | `9443` | Webhook port |
 

charts/capsule-proxy/values.schema.json

@@ -547,7 +547,7 @@
                     "type": "integer"
                 },
                 "disableCaching": {
-                    "description": "Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector",
+                    "description": "Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector.",
                     "type": "boolean"
                 },
                 "enableSSL": {
@@ -586,6 +586,10 @@
                     "description": "Enable Pprof for profiling",
                     "type": "boolean"
                 },
+                "roleBindingReflector": {
+                    "description": "Enable the rolebinding reflector, which allows to list the namespaces, where a rolebinding mentions a user.",
+                    "type": "boolean"
+                },
                 "rolebindingsResyncPeriod": {
                     "description": "Set the role bindings reflector resync period, a local cache to store mappings between users and their namespaces. [Use a lower value in case of flaky etcd server connections.](https://github.com/projectcapsule/capsule-proxy/issues/174)",
                     "type": "string"

charts/capsule-proxy/values.yaml

@@ -272,8 +272,10 @@ options:
   certificateVolumeName: ""
   # -- Set the role bindings reflector resync period, a local cache to store mappings between users and their namespaces. [Use a lower value in case of flaky etcd server connections.](https://github.com/projectcapsule/capsule-proxy/issues/174)
   rolebindingsResyncPeriod: 10h
-  # -- Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector
+  # -- Disable the go-client caching to hit directly the Kubernetes API Server, it disables any local caching as the rolebinding reflector.
   disableCaching: false
+  # -- Enable the rolebinding reflector, which allows to list the namespaces, where a rolebinding mentions a user.
+  roleBindingReflector: false
   # -- Authentication types to be used for requests. Possible Auth Types: [BearerToken, TLSCertificate]
   authPreferredTypes: "BearerToken,TLSCertificate"
   # -- QPS to use for interacting with Kubernetes API Server.

main.go

@@ -64,7 +64,7 @@ func main() {
 		namespace, certPath, keyPath, usernameClaimField, capsuleConfigurationName, impersonationGroupsRegexp, metricsAddr string
 		capsuleUserGroups, ignoredUserGroups, ignoreImpersonationGroups                                                    []string
 		listeningPort                                                                                                      uint
-		bindSsl, disableCaching, enablePprof, enableLeaderElection                                                         bool
+		bindSsl, disableCaching, enablePprof, enableLeaderElection, roleBindingReflector                                   bool
 		rolebindingsResyncPeriod                                                                                           time.Duration
 		clientConnectionQPS                                                                                                float32
 		clientConnectionBurst                                                                                              int32
@@ -119,6 +119,7 @@ func main() {
 	flag.StringVar(&impersonationGroupsRegexp, "impersonation-group-regexp", "", "Regular expression to match the groups which are considered for impersonation")
 	flag.UintVar(&listeningPort, "listening-port", 9001, "HTTP port the proxy listens to (default: 9001)")
 	flag.StringVar(&usernameClaimField, "oidc-username-claim", "preferred_username", "The OIDC field name used to identify the user (default: preferred_username)")
+	flag.BoolVar(&roleBindingReflector, "enable-reflector", false, "Enable rolebinding reflector. The reflector allows to list the namespaces, where a rolebinding mentions a user")
 	flag.BoolVar(&enablePprof, "enable-pprof", false, "Enables Pprof endpoint for profiling (not recommend in production)")
 	flag.BoolVar(&bindSsl, "enable-ssl", true, "Enable the bind on HTTPS for secure communication (default: true)")
 	flag.StringVar(&certPath, "ssl-cert-path", "", "Path to the TLS certificate (default: /opt/capsule-proxy/tls.crt)")
@@ -237,7 +238,7 @@ First match is used and can be specified multiple times as comma separated value
 
 	var rbReflector *controllers.RoleBindingReflector
 
-	if !disableCaching {
+	if !disableCaching && roleBindingReflector {
 		log.Info("Creating the Rolebindings reflector")
 
 		if rbReflector, err = controllers.NewRoleBindingReflector(config, rolebindingsResyncPeriod); err != nil {
@@ -252,7 +253,7 @@ First match is used and can be specified multiple times as comma separated value
 			os.Exit(1)
 		}
 	} else {
-		log.Info("Cache is disabled, cannot create Rolebindings reflector")
+		log.Info("Rolebinding reflector disabled")
 	}
 
 	ctx := ctrl.SetupSignalHandler()