Create openshift resources only on openshift clusters

Signed-off-by: Roey <[email protected]>

Author: rlevartovsky

charts/konnector/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: konnector
 description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management.
 type: application
-version: 1.0.10
+version: 1.0.11
 appVersion: "1.0.0"
 maintainers:
   - name: Palo Alto Networks - Cortex KSPM team

charts/konnector/templates/_helpers.tpl

@@ -61,12 +61,15 @@ spec:
       restartPolicy: Never
 {{- end -}}
 
-{{/* Returns true if the anyuid SCC exists and is accessible, false otherwise */}}
-{{- define "common.hasAnyuidSCC" -}}
-  {{- if has "security.openshift.io/v1" .Capabilities.APIVersions }}
-    {{- $scc := lookup "security.openshift.io/v1" "SecurityContextConstraints" "" "anyuid" }}
-    {{- if $scc }}true{{ else }}false{{ end }}
-  {{- else }}
-    false
+{{- define "common.apiGroupsWithoutVersions" }}
+{{- $groups := dict }}
+{{- range .Capabilities.APIVersions }}
+  {{- $parts := splitList "/" . }}
+  {{- $key := "" }}
+  {{- if gt (len $parts) 1 }}
+    {{- $key = index $parts 0 }}
   {{- end }}
+  {{- $_ := set $groups $key true }}
+{{- end }}
+{{ $groups | toYaml }}
 {{- end }}

charts/konnector/templates/rbac.yaml

@@ -1,5 +1,6 @@
 {{- $namespace := .Values.namespace.name }}
 {{- $sa := .Values.system.serviceAccount.name }}
+{{- $availableApis := include "common.apiGroupsWithoutVersions" $ | fromYaml}}
 
 {{- range $roleName, $roleInfo := .Values.system.roles }}
 ---
@@ -36,6 +37,15 @@ roleRef:
 
 {{- range $roleName, $roleInfo := .Values.system.clusterRoles }}
 ---
+{{- $allGroupsAvailable := true }}
+{{- range $rule := $roleInfo.rules }}
+  {{- range $group := $rule.apiGroups }}
+    {{- if not (hasKey $availableApis $group) }}
+      {{- $allGroupsAvailable = false }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+{{- if $allGroupsAvailable }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -64,10 +74,11 @@ roleRef:
   name: {{ $roleName }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
+{{- end }}
 
 {{- range $bindingName, $bindingInfo := .Values.system.extraClusterRoleBindings }}
 ---
-{{- if eq (include "common.hasAnyuidSCC" $) "true" }}
+{{- if (has $bindingInfo.roleRef.apiGroup $.Capabilities.APIVersions) }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:

charts/konnector/values.yaml

@@ -102,8 +102,11 @@ system:
           verbs: ["create", "patch", "delete"]
     cluster-manager:
       rules:
-        - apiGroups: ["", "coordination.k8s.io"]
-          resources: ["leases", "namespaces", "secrets", "configmaps"]
+        - apiGroups: [""]
+          resources: ["namespaces", "secrets", "configmaps"]
+          verbs: ["get", "update", "patch", "list", "watch"]
+        - apiGroups: ["coordination.k8s.io"]
+          resources: ["leases"]
           verbs: ["get", "update", "patch", "list", "watch"]
         - apiGroups: ["admissionregistration.k8s.io"]
           resources: ["validatingwebhookconfigurations"]
@@ -135,14 +138,16 @@ system:
         - apiGroups: [""]
           resources: ["nodes"]
           verbs: ["get", "list", "patch"]
-    openshift-permissions:
+    aro-openshift-permissions:
       rules:
-        - apiGroups: ["config.openshift.io"]
-          resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"]
-          verbs: ["get", "list", "watch"]
         - apiGroups: ["aro.openshift.io"]
           resources: ["clusters"]
           verbs: ["get", "list", "watch"]
+    general-openshift-permissions:
+      rules:
+        - apiGroups: ["config.openshift.io"]
+          resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"]
+          verbs: ["get", "list", "watch"]
         - apiGroups: ["operator.openshift.io"]
           resources: ["kubeapiservers", "openshiftapiservers", "ingresscontrollers", "networks"]
           verbs: ["get", "list", "watch"]
@@ -166,9 +171,6 @@ system:
         - apiGroups: ["apps"]
           resources: ["daemonsets", "deployments", "replicasets", "statefulsets"]
           verbs: ["get", "list", "watch"]
-        - apiGroups: ["extensions"]
-          resources: ["daemonsets", "deployments", "replicasets"]
-          verbs: ["get", "list", "watch"]
         - apiGroups: ["batch"]
           resources: ["jobs", "cronjobs"]
           verbs: ["get", "list", "watch"]
@@ -179,6 +181,7 @@ system:
   extraClusterRoleBindings:
     openshift-anyuid-crole-binding:
       roleRef:
+        apiGroup: security.openshift.io/v1
         name: system:openshift:scc:anyuid
 
   # ==========================