fix(chart): securityContext and rbac for metrics proxy (#29)

raffis · web-flow · commit cc5a5c1c3a5c · 2023-06-19T09:37:15.000+02:00
diff --git a/chart/k8skafka-controller/Chart.yaml b/chart/k8skafka-controller/Chart.yaml
@@ -12,4 +12,4 @@ keywords:
 name: k8skafka-controller
 sources:
 - https://github.com/DoodleScheduling/k8skafka-controller
-version: 0.3.3
+version: 0.4.0
diff --git a/chart/k8skafka-controller/templates/deployment.yaml b/chart/k8skafka-controller/templates/deployment.yaml
@@ -81,17 +81,17 @@ spec:
         {{- end }}
       {{- if .Values.kubeRBACProxy.enabled }}
       - args:
-          - --secure-listen-address=0.0.0.0:8443
-          - --upstream=http://127.0.0.1:{{ .Values.metricsPort }}
-          - --logtostderr=true
-          - --v=0
-        image: quay.io/brancz/kube-rbac-proxy:v0.14.0
+        - --secure-listen-address=0.0.0.0:8443
+        - --upstream=http://127.0.0.1:{{ .Values.metricsPort }}
+        - --logtostderr=true
+        - --v=0
+        image: {{ .Values.kubeRBACProxy.image }}
         imagePullPolicy: IfNotPresent
         name: kube-rbac-proxy
         ports:
-          - containerPort: 8443
-            name: https
-            protocol: TCP
+        - containerPort: 8443
+          name: https
+          protocol: TCP
         resources:
           {{- toYaml .Values.kubeRBACProxy.resources | nindent 10 }}
         securityContext:
@@ -108,6 +108,8 @@ spec:
         secret:
           secretName: {{ .secretName }}
       {{- end }}
+      securityContext:
+      {{- toYaml .Values.podSecurityContext | nindent 8 }}
       affinity:
         {{- toYaml .Values.affinity | nindent 8 }}
       imagePullSecrets:
diff --git a/chart/k8skafka-controller/templates/metrics-rbac.yaml b/chart/k8skafka-controller/templates/metrics-rbac.yaml
@@ -16,6 +16,24 @@ rules:
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
+metadata:
+  name: {{ include "k8skafka-controller.fullname" . }}-metrics
+  labels:
+    app.kubernetes.io/name: {{ include "k8skafka-controller.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    helm.sh/chart: {{ include "k8skafka-controller.chart" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "k8skafka-controller.fullname" . }}-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: {{ template "k8skafka-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
   name: {{ include "k8skafka-controller.fullname" . }}-proxy
   labels:
diff --git a/chart/k8skafka-controller/values.yaml b/chart/k8skafka-controller/values.yaml
@@ -81,6 +81,8 @@ securityContext:
   capabilities:
     drop: ["all"]
   readOnlyRootFilesystem: true
+
+podSecurityContext:
   runAsGroup: 10000
   runAsNonRoot: true
   runAsUser: 10000
@@ -119,13 +121,19 @@ prometheusRule:
 
 kubeRBACProxy:
   enabled: true
-
+  image: quay.io/brancz/kube-rbac-proxy:v0.14.2
   securityContext:
     allowPrivilegeEscalation: false
     capabilities:
       drop: ["all"]
     readOnlyRootFilesystem: true
 
   resources: {}
+  # limits:
+  #   cpu: 500m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 5m
+  #   memory: 64Mi
 
 tolerations: []
