diff --git a/charts/konnector/Chart.yaml b/charts/konnector/Chart.yaml index 46c6e4b..4cb3e17 100644 --- a/charts/konnector/Chart.yaml +++ b/charts/konnector/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: konnector description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management. type: application -version: 1.0.12 +version: 1.0.13 appVersion: "1.0.0" maintainers: - name: Palo Alto Networks - Cortex KSPM team diff --git a/charts/konnector/templates/_helpers.tpl b/charts/konnector/templates/_helpers.tpl index 172d909..2ef387a 100644 --- a/charts/konnector/templates/_helpers.tpl +++ b/charts/konnector/templates/_helpers.tpl @@ -60,16 +60,3 @@ spec: readOnly: true restartPolicy: Never {{- end -}} - -{{- define "common.apiGroupsWithoutVersions" }} -{{- $groups := dict }} -{{- range .Capabilities.APIVersions }} - {{- $parts := splitList "/" . }} - {{- $key := "" }} - {{- if gt (len $parts) 1 }} - {{- $key = index $parts 0 }} - {{- end }} - {{- $_ := set $groups $key true }} -{{- end }} -{{ $groups | toYaml }} -{{- end }} diff --git a/charts/konnector/templates/rbac.yaml b/charts/konnector/templates/rbac.yaml index 6bfa947..746bef6 100644 --- a/charts/konnector/templates/rbac.yaml +++ b/charts/konnector/templates/rbac.yaml @@ -1,6 +1,5 @@ {{- $namespace := .Values.namespace.name }} {{- $sa := .Values.system.serviceAccount.name }} -{{- $availableApis := include "common.apiGroupsWithoutVersions" $ | fromYaml}} {{- range $roleName, $roleInfo := .Values.system.roles }} --- @@ -37,15 +36,6 @@ roleRef: {{- range $roleName, $roleInfo := .Values.system.clusterRoles }} --- -{{- $allGroupsAvailable := true }} -{{- range $rule := $roleInfo.rules }} - {{- range $group := $rule.apiGroups }} - {{- if not (hasKey $availableApis $group) }} - {{- $allGroupsAvailable = false }} - {{- end }} - {{- end }} -{{- end }} -{{- if $allGroupsAvailable }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -74,15 +64,13 @@ roleRef: name: {{ $roleName }} apiGroup: rbac.authorization.k8s.io {{- end }} -{{- end }} {{- range $bindingName, $bindingInfo := .Values.system.extraClusterRoleBindings }} --- -{{- if (has $bindingInfo.roleRef.apiGroup $.Capabilities.APIVersions) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ $bindingName }}-binding + name: {{ $bindingName }} labels: {{- include "common.labels" $ | nindent 4 }} subjects: @@ -94,4 +82,3 @@ roleRef: name: {{ $bindingInfo.roleRef.name }} apiGroup: rbac.authorization.k8s.io {{- end }} -{{- end }} diff --git a/charts/konnector/values.yaml b/charts/konnector/values.yaml index fd1ae3b..c1d7938 100644 --- a/charts/konnector/values.yaml +++ b/charts/konnector/values.yaml @@ -86,7 +86,7 @@ system: # Cluster Role Resources # ========================== clusterRoles: - konnector-manager-creator: + connector-manager-creator: rules: - apiGroups: [""] resources: ["configmaps", "services", "serviceaccounts"] @@ -100,18 +100,15 @@ system: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "roles", "rolebindings", "clusterrolebindings"] verbs: ["create", "patch", "delete"] - konnector-cluster-manager: + cluster-manager: rules: - - apiGroups: [""] - resources: ["namespaces", "secrets", "configmaps"] - verbs: ["get", "update", "patch", "list", "watch"] - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] + - apiGroups: ["", "coordination.k8s.io"] + resources: ["leases", "namespaces", "secrets", "configmaps"] verbs: ["get", "update", "patch", "list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["update", "list", "watch", "get", "create", "patch", "delete"] - konnector-read-inventory: + read-inventory: rules: - apiGroups: [""] resources: ["namespaces", "pods", "serviceaccounts", "endpoints", "services", "configmaps", "secrets", "nodes", "nodes/proxy"] @@ -128,26 +125,24 @@ system: - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies", "ingresses"] verbs: ["get", "list", "watch"] - konnector-crd-manager: + crd-manager: rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "get", "patch", "delete"] - konnector-node-vm-discovery: + node-vm-discovery: rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "patch"] - konnector-aro-openshift-permissions: - rules: - - apiGroups: ["aro.openshift.io"] - resources: ["clusters"] - verbs: ["get", "list", "watch"] - konnector-general-openshift-permissions: + openshift-permissions: rules: - apiGroups: ["config.openshift.io"] resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"] verbs: ["get", "list", "watch"] + - apiGroups: ["aro.openshift.io"] + resources: ["clusters"] + verbs: ["get", "list", "watch"] - apiGroups: ["operator.openshift.io"] resources: ["kubeapiservers", "openshiftapiservers", "ingresscontrollers", "networks"] verbs: ["get", "list", "watch"] @@ -160,7 +155,7 @@ system: - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] verbs: ["get", "list", "watch"] - konnector-otel: + otel: rules: - apiGroups: [""] resources: ["nodes/stats"] @@ -171,6 +166,9 @@ system: - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["get", "list", "watch"] + - apiGroups: ["extensions"] + resources: ["daemonsets", "deployments", "replicasets"] + verbs: ["get", "list", "watch"] - apiGroups: ["batch"] resources: ["jobs", "cronjobs"] verbs: ["get", "list", "watch"] @@ -179,14 +177,9 @@ system: verbs: ["get", "list", "watch"] extraClusterRoleBindings: - konnector-openshift-anyuid: + openshift-anyuid-crole-binding: roleRef: - apiGroup: security.openshift.io/v1 name: system:openshift:scc:anyuid - konnector-openshift-privileged: - roleRef: - apiGroup: security.openshift.io/v1 - name: system:openshift:scc:privileged # ========================== # Secrets Resources