Merge pull request #10 from PaloAltoNetworks/golan/backwards-comp

backward compatibility adaptations

Author: yishaynaPalo

charts/konnector/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.12
+version: 1.0.13
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team

charts/konnector/templates/_helpers.tpl

@@ -60,16 +60,3 @@ spec:
               readOnly: true
       restartPolicy: Never
 {{- end -}}
-
-{{- define "common.apiGroupsWithoutVersions" }}
-{{- $groups := dict }}
-{{- range .Capabilities.APIVersions }}
-  {{- $parts := splitList "/" . }}
-  {{- $key := "" }}
-  {{- if gt (len $parts) 1 }}
-    {{- $key = index $parts 0 }}
-  {{- end }}
-  {{- $_ := set $groups $key true }}
-{{- end }}
-{{ $groups | toYaml }}
-{{- end }}

charts/konnector/templates/rbac.yaml

@@ -1,6 +1,5 @@
 {{- $namespace := .Values.namespace.name }}
 {{- $sa := .Values.system.serviceAccount.name }}
-{{- $availableApis := include "common.apiGroupsWithoutVersions" $ | fromYaml}}
 
 {{- range $roleName, $roleInfo := .Values.system.roles }}
 ---
@@ -37,15 +36,6 @@ roleRef:
 
 {{- range $roleName, $roleInfo := .Values.system.clusterRoles }}
 ---
-{{- $allGroupsAvailable := true }}
-{{- range $rule := $roleInfo.rules }}
-  {{- range $group := $rule.apiGroups }}
-    {{- if not (hasKey $availableApis $group) }}
-      {{- $allGroupsAvailable = false }}
-    {{- end }}
-  {{- end }}
-{{- end }}
-{{- if $allGroupsAvailable }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -74,15 +64,13 @@ roleRef:
   name: {{ $roleName }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
-{{- end }}
 
 {{- range $bindingName, $bindingInfo := .Values.system.extraClusterRoleBindings }}
 ---
-{{- if (has $bindingInfo.roleRef.apiGroup $.Capabilities.APIVersions) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ $bindingName }}-binding
+  name: {{ $bindingName }}
   labels:
     {{- include "common.labels" $ | nindent 4 }}
 subjects:
@@ -94,4 +82,3 @@ roleRef:
   name: {{ $bindingInfo.roleRef.name }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
-{{- end }}

charts/konnector/values.yaml

@@ -86,7 +86,7 @@ system:
   # Cluster Role Resources
   # ==========================
   clusterRoles:
-    konnector-manager-creator:
+    connector-manager-creator:
       rules:
         - apiGroups: [""]
           resources: ["configmaps", "services", "serviceaccounts"]
@@ -100,18 +100,15 @@ system:
         - apiGroups: ["rbac.authorization.k8s.io"]
           resources: ["clusterroles", "roles", "rolebindings", "clusterrolebindings"]
           verbs: ["create", "patch", "delete"]
-    konnector-cluster-manager:
+    cluster-manager:
       rules:
-        - apiGroups: [""]
-          resources: ["namespaces", "secrets", "configmaps"]
-          verbs: ["get", "update", "patch", "list", "watch"]
-        - apiGroups: ["coordination.k8s.io"]
-          resources: ["leases"]
+        - apiGroups: ["", "coordination.k8s.io"]
+          resources: ["leases", "namespaces", "secrets", "configmaps"]
           verbs: ["get", "update", "patch", "list", "watch"]
         - apiGroups: ["admissionregistration.k8s.io"]
           resources: ["validatingwebhookconfigurations"]
           verbs: ["update", "list", "watch", "get", "create", "patch", "delete"]
-    konnector-read-inventory:
+    read-inventory:
       rules:
         - apiGroups: [""]
           resources: ["namespaces", "pods", "serviceaccounts", "endpoints", "services", "configmaps", "secrets", "nodes", "nodes/proxy"]
@@ -128,26 +125,24 @@ system:
         - apiGroups: ["networking.k8s.io"]
           resources: ["networkpolicies", "ingresses"]
           verbs: ["get", "list", "watch"]
-    konnector-crd-manager:
+    crd-manager:
       rules:
         - apiGroups: ["apiextensions.k8s.io"]
           resources: ["customresourcedefinitions"]
           verbs: ["create", "get", "patch", "delete"]
-    konnector-node-vm-discovery:
+    node-vm-discovery:
       rules:
         - apiGroups: [""]
           resources: ["nodes"]
           verbs: ["get", "list", "patch"]
-    konnector-aro-openshift-permissions:
-      rules:
-        - apiGroups: ["aro.openshift.io"]
-          resources: ["clusters"]
-          verbs: ["get", "list", "watch"]
-    konnector-general-openshift-permissions:
+    openshift-permissions:
       rules:
         - apiGroups: ["config.openshift.io"]
           resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"]
           verbs: ["get", "list", "watch"]
+        - apiGroups: ["aro.openshift.io"]
+          resources: ["clusters"]
+          verbs: ["get", "list", "watch"]
         - apiGroups: ["operator.openshift.io"]
           resources: ["kubeapiservers", "openshiftapiservers", "ingresscontrollers", "networks"]
           verbs: ["get", "list", "watch"]
@@ -160,7 +155,7 @@ system:
         - apiGroups: ["security.openshift.io"]
           resources: ["securitycontextconstraints"]
           verbs: ["get", "list", "watch"]
-    konnector-otel:
+    otel:
       rules:
         - apiGroups: [""]
           resources: ["nodes/stats"]
@@ -171,6 +166,9 @@ system:
         - apiGroups: ["apps"]
           resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
           verbs: ["get", "list", "watch"]
+        - apiGroups: ["extensions"]
+          resources: ["daemonsets", "deployments", "replicasets"]
+          verbs: ["get", "list", "watch"]
         - apiGroups: ["batch"]
           resources: ["jobs", "cronjobs"]
           verbs: ["get", "list", "watch"]
@@ -179,14 +177,9 @@ system:
           verbs: ["get", "list", "watch"]
 
   extraClusterRoleBindings:
-    konnector-openshift-anyuid:
+    openshift-anyuid-crole-binding:
       roleRef:
-        apiGroup: security.openshift.io/v1
         name: system:openshift:scc:anyuid
-    konnector-openshift-privileged:
-      roleRef:
-        apiGroup: security.openshift.io/v1
-        name: system:openshift:scc:privileged
 
   # ==========================
   # Secrets Resources