Merge pull request #11 from PaloAltoNetworks/golan/v1.0.14

Feat: Add backward compatibility

Author: yishaynaPalo

charts/konnector/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.13
+version: 1.0.14
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team

charts/konnector/templates/_helpers.tpl

@@ -60,3 +60,16 @@ spec:
               readOnly: true
       restartPolicy: Never
 {{- end -}}
+
+{{- define "common.apiGroupsWithoutVersions" }}
+{{- $groups := dict }}
+{{- range .Capabilities.APIVersions }}
+  {{- $parts := splitList "/" . }}
+  {{- $key := "" }}
+  {{- if gt (len $parts) 1 }}
+    {{- $key = index $parts 0 }}
+  {{- end }}
+  {{- $_ := set $groups $key true }}
+{{- end }}
+{{ $groups | toYaml }}
+{{- end }}

charts/konnector/templates/rbac.yaml

@@ -1,5 +1,6 @@
 {{- $namespace := .Values.namespace.name }}
 {{- $sa := .Values.system.serviceAccount.name }}
+{{- $availableApis := include "common.apiGroupsWithoutVersions" $ | fromYaml}}
 
 {{- range $roleName, $roleInfo := .Values.system.roles }}
 ---
@@ -36,6 +37,17 @@ roleRef:
 
 {{- range $roleName, $roleInfo := .Values.system.clusterRoles }}
 ---
+{{- $allGroupsAvailable := true }}
+{{- if not $roleInfo.skipValidation }}
+  {{- range $rule := $roleInfo.rules }}
+    {{- range $group := $rule.apiGroups }}
+      {{- if not (hasKey $availableApis $group) }}
+        {{- $allGroupsAvailable = false }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- if $allGroupsAvailable }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -64,13 +76,15 @@ roleRef:
   name: {{ $roleName }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
+{{- end }}
 
 {{- range $bindingName, $bindingInfo := .Values.system.extraClusterRoleBindings }}
 ---
+{{- if (has $bindingInfo.roleRef.apiGroup $.Capabilities.APIVersions) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $bindingName }}
+  name: {{ $bindingName }}-binding
   labels:
     {{- include "common.labels" $ | nindent 4 }}
 subjects:
@@ -82,3 +96,4 @@ roleRef:
   name: {{ $bindingInfo.roleRef.name }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
+{{- end }}

charts/konnector/values.yaml

@@ -86,7 +86,7 @@ system:
   # Cluster Role Resources
   # ==========================
   clusterRoles:
-    connector-manager-creator:
+    konnector-manager-creator:
       rules:
         - apiGroups: [""]
           resources: ["configmaps", "services", "serviceaccounts"]
@@ -100,15 +100,18 @@ system:
         - apiGroups: ["rbac.authorization.k8s.io"]
           resources: ["clusterroles", "roles", "rolebindings", "clusterrolebindings"]
           verbs: ["create", "patch", "delete"]
-    cluster-manager:
+    konnector-cluster-manager:
       rules:
-        - apiGroups: ["", "coordination.k8s.io"]
-          resources: ["leases", "namespaces", "secrets", "configmaps"]
+        - apiGroups: [""]
+          resources: ["namespaces", "secrets", "configmaps"]
+          verbs: ["get", "update", "patch", "list", "watch"]
+        - apiGroups: ["coordination.k8s.io"]
+          resources: ["leases"]
           verbs: ["get", "update", "patch", "list", "watch"]
         - apiGroups: ["admissionregistration.k8s.io"]
           resources: ["validatingwebhookconfigurations"]
           verbs: ["update", "list", "watch", "get", "create", "patch", "delete"]
-    read-inventory:
+    konnector-read-inventory:
       rules:
         - apiGroups: [""]
           resources: ["namespaces", "pods", "serviceaccounts", "endpoints", "services", "configmaps", "secrets", "nodes", "nodes/proxy"]
@@ -125,24 +128,26 @@ system:
         - apiGroups: ["networking.k8s.io"]
           resources: ["networkpolicies", "ingresses"]
           verbs: ["get", "list", "watch"]
-    crd-manager:
+    konnector-crd-manager:
       rules:
         - apiGroups: ["apiextensions.k8s.io"]
           resources: ["customresourcedefinitions"]
           verbs: ["create", "get", "patch", "delete"]
-    node-vm-discovery:
+    konnector-node-vm-discovery:
       rules:
         - apiGroups: [""]
           resources: ["nodes"]
           verbs: ["get", "list", "patch"]
-    openshift-permissions:
+    konnector-aro-openshift-permissions:
       rules:
-        - apiGroups: ["config.openshift.io"]
-          resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"]
-          verbs: ["get", "list", "watch"]
         - apiGroups: ["aro.openshift.io"]
           resources: ["clusters"]
           verbs: ["get", "list", "watch"]
+    konnector-general-openshift-permissions:
+      rules:
+        - apiGroups: ["config.openshift.io"]
+          resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"]
+          verbs: ["get", "list", "watch"]
         - apiGroups: ["operator.openshift.io"]
           resources: ["kubeapiservers", "openshiftapiservers", "ingresscontrollers", "networks"]
           verbs: ["get", "list", "watch"]
@@ -155,7 +160,7 @@ system:
         - apiGroups: ["security.openshift.io"]
           resources: ["securitycontextconstraints"]
           verbs: ["get", "list", "watch"]
-    otel:
+    konnector-otel:
       rules:
         - apiGroups: [""]
           resources: ["nodes/stats"]
@@ -166,20 +171,31 @@ system:
         - apiGroups: ["apps"]
           resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
           verbs: ["get", "list", "watch"]
-        - apiGroups: ["extensions"]
-          resources: ["daemonsets", "deployments", "replicasets"]
-          verbs: ["get", "list", "watch"]
         - apiGroups: ["batch"]
           resources: ["jobs", "cronjobs"]
           verbs: ["get", "list", "watch"]
         - apiGroups: ["autoscaling"]
           resources: ["horizontalpodautoscalers"]
           verbs: ["get", "list", "watch"]
+    konnector-bc:
+      skipValidation: "true"
+      rules:
+        - apiGroups: ["extensions"]
+          resources: ["daemonsets", "deployments", "replicasets"]
+          verbs: ["get", "list", "watch"]
+        - apiGroups: ["", "coordination.k8s.io"]
+          resources: ["leases", "namespaces", "secrets", "configmaps"]
+          verbs: ["get", "update", "patch", "list", "watch"]
 
   extraClusterRoleBindings:
-    openshift-anyuid-crole-binding:
+    konnector-openshift-anyuid:
       roleRef:
+        apiGroup: security.openshift.io/v1
         name: system:openshift:scc:anyuid
+    konnector-openshift-privileged:
+      roleRef:
+        apiGroup: security.openshift.io/v1
+        name: system:openshift:scc:privileged
 
   # ==========================
   # Secrets Resources