diff --git a/charts/konnector/Chart.yaml b/charts/konnector/Chart.yaml index 4cb3e17..77f826d 100644 --- a/charts/konnector/Chart.yaml +++ b/charts/konnector/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: konnector description: Deploys Palo Alto Networks' Cortex KSPM connector for advanced Kubernetes security posture management. type: application -version: 1.0.13 +version: 1.0.14 appVersion: "1.0.0" maintainers: - name: Palo Alto Networks - Cortex KSPM team diff --git a/charts/konnector/templates/_helpers.tpl b/charts/konnector/templates/_helpers.tpl index 2ef387a..172d909 100644 --- a/charts/konnector/templates/_helpers.tpl +++ b/charts/konnector/templates/_helpers.tpl @@ -60,3 +60,16 @@ spec: readOnly: true restartPolicy: Never {{- end -}} + +{{- define "common.apiGroupsWithoutVersions" }} +{{- $groups := dict }} +{{- range .Capabilities.APIVersions }} + {{- $parts := splitList "/" . }} + {{- $key := "" }} + {{- if gt (len $parts) 1 }} + {{- $key = index $parts 0 }} + {{- end }} + {{- $_ := set $groups $key true }} +{{- end }} +{{ $groups | toYaml }} +{{- end }} diff --git a/charts/konnector/templates/rbac.yaml b/charts/konnector/templates/rbac.yaml index 746bef6..553e6a9 100644 --- a/charts/konnector/templates/rbac.yaml +++ b/charts/konnector/templates/rbac.yaml @@ -1,5 +1,6 @@ {{- $namespace := .Values.namespace.name }} {{- $sa := .Values.system.serviceAccount.name }} +{{- $availableApis := include "common.apiGroupsWithoutVersions" $ | fromYaml}} {{- range $roleName, $roleInfo := .Values.system.roles }} --- @@ -36,6 +37,17 @@ roleRef: {{- range $roleName, $roleInfo := .Values.system.clusterRoles }} --- +{{- $allGroupsAvailable := true }} +{{- if not $roleInfo.skipValidation }} + {{- range $rule := $roleInfo.rules }} + {{- range $group := $rule.apiGroups }} + {{- if not (hasKey $availableApis $group) }} + {{- $allGroupsAvailable = false }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- if $allGroupsAvailable }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -64,13 +76,15 @@ roleRef: name: {{ $roleName }} apiGroup: rbac.authorization.k8s.io {{- end }} +{{- end }} {{- range $bindingName, $bindingInfo := .Values.system.extraClusterRoleBindings }} --- +{{- if (has $bindingInfo.roleRef.apiGroup $.Capabilities.APIVersions) }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ $bindingName }} + name: {{ $bindingName }}-binding labels: {{- include "common.labels" $ | nindent 4 }} subjects: @@ -82,3 +96,4 @@ roleRef: name: {{ $bindingInfo.roleRef.name }} apiGroup: rbac.authorization.k8s.io {{- end }} +{{- end }} diff --git a/charts/konnector/values.yaml b/charts/konnector/values.yaml index c1d7938..5097025 100644 --- a/charts/konnector/values.yaml +++ b/charts/konnector/values.yaml @@ -86,7 +86,7 @@ system: # Cluster Role Resources # ========================== clusterRoles: - connector-manager-creator: + konnector-manager-creator: rules: - apiGroups: [""] resources: ["configmaps", "services", "serviceaccounts"] @@ -100,15 +100,18 @@ system: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "roles", "rolebindings", "clusterrolebindings"] verbs: ["create", "patch", "delete"] - cluster-manager: + konnector-cluster-manager: rules: - - apiGroups: ["", "coordination.k8s.io"] - resources: ["leases", "namespaces", "secrets", "configmaps"] + - apiGroups: [""] + resources: ["namespaces", "secrets", "configmaps"] + verbs: ["get", "update", "patch", "list", "watch"] + - apiGroups: ["coordination.k8s.io"] + resources: ["leases"] verbs: ["get", "update", "patch", "list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["validatingwebhookconfigurations"] verbs: ["update", "list", "watch", "get", "create", "patch", "delete"] - read-inventory: + konnector-read-inventory: rules: - apiGroups: [""] resources: ["namespaces", "pods", "serviceaccounts", "endpoints", "services", "configmaps", "secrets", "nodes", "nodes/proxy"] @@ -125,24 +128,26 @@ system: - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies", "ingresses"] verbs: ["get", "list", "watch"] - crd-manager: + konnector-crd-manager: rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["create", "get", "patch", "delete"] - node-vm-discovery: + konnector-node-vm-discovery: rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list", "patch"] - openshift-permissions: + konnector-aro-openshift-permissions: rules: - - apiGroups: ["config.openshift.io"] - resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"] - verbs: ["get", "list", "watch"] - apiGroups: ["aro.openshift.io"] resources: ["clusters"] verbs: ["get", "list", "watch"] + konnector-general-openshift-permissions: + rules: + - apiGroups: ["config.openshift.io"] + resources: ["clusterversions", "apiservers", "authentications", "clusteroperators", "oauths", "infrastructures"] + verbs: ["get", "list", "watch"] - apiGroups: ["operator.openshift.io"] resources: ["kubeapiservers", "openshiftapiservers", "ingresscontrollers", "networks"] verbs: ["get", "list", "watch"] @@ -155,7 +160,7 @@ system: - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] verbs: ["get", "list", "watch"] - otel: + konnector-otel: rules: - apiGroups: [""] resources: ["nodes/stats"] @@ -166,20 +171,31 @@ system: - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "replicasets", "statefulsets"] verbs: ["get", "list", "watch"] - - apiGroups: ["extensions"] - resources: ["daemonsets", "deployments", "replicasets"] - verbs: ["get", "list", "watch"] - apiGroups: ["batch"] resources: ["jobs", "cronjobs"] verbs: ["get", "list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["get", "list", "watch"] + konnector-bc: + skipValidation: "true" + rules: + - apiGroups: ["extensions"] + resources: ["daemonsets", "deployments", "replicasets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["", "coordination.k8s.io"] + resources: ["leases", "namespaces", "secrets", "configmaps"] + verbs: ["get", "update", "patch", "list", "watch"] extraClusterRoleBindings: - openshift-anyuid-crole-binding: + konnector-openshift-anyuid: roleRef: + apiGroup: security.openshift.io/v1 name: system:openshift:scc:anyuid + konnector-openshift-privileged: + roleRef: + apiGroup: security.openshift.io/v1 + name: system:openshift:scc:privileged # ========================== # Secrets Resources