Skip to content

Deploy without cluster admin permissions (ClusterRole and ClusterRoleBinding) #1147

Open
#1151
Open
Deploy without cluster admin permissions (ClusterRole and ClusterRoleBinding)#1147
#1151
Labels
enhancementNew feature or request
@pawcykca

Description

@pawcykca
pawcykca
opened on Oct 26, 2025

Is your feature request related to a problem? Please describe.
Occasionally, I need to deploy Vault in K8S clusters where, for security reasons, administrators don't want to grant users permissions to create and manage ClusterRole and ClusterRoleBinding resources. Currently, the helm chart doesn't allow Vault deployment in such clusters because it creates ClusterRole and ClusterRoleBinding resources by default.

Describe the solution you'd like
The solution to this problem is to modify the helm chart appropriately (while maintaining backward compatibility) to delegate the creation of ServiceAccount, ClusterRole, and ClusterRoleBinding resources to the cluster administrator, which the user then uses to deploy Vault.

Below is my proposal – please let me know if creating a PR with these changes makes sense, or if such a PR will not be approved for some reason.

$ git diff
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 54c7a73..7d80c35 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -102,6 +102,7 @@ Compute if the server auth delegator serviceaccount is enabled.
     (eq (.Values.server.authDelegator.enabled | toString) "true" )
     (or (eq (.Values.server.serviceAccount.create | toString) "true")
         (not (eq .Values.server.serviceAccount.name "")))
+    (eq (.Values.server.serviceAccount.createClusterRoleBinding | toString) "true")
     (or
       (eq (.Values.server.enabled | toString) "true")
       (eq (.Values.global.enabled | toString) "true"))) -}}
diff --git a/templates/csi-clusterrole.yaml b/templates/csi-clusterrole.yaml
index 6d979ea..1a5e03d 100644
--- a/templates/csi-clusterrole.yaml
+++ b/templates/csi-clusterrole.yaml
@@ -5,6 +5,7 @@ SPDX-License-Identifier: MPL-2.0
 
 {{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
+{{- if eq (.Values.csi.serviceAccount.createClusterRoleAndBinding | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -21,3 +22,4 @@ rules:
   verbs:
   - create
 {{- end }}
+{{- end }}
diff --git a/templates/csi-clusterrolebinding.yaml b/templates/csi-clusterrolebinding.yaml
index 506ec94..6b54910 100644
--- a/templates/csi-clusterrolebinding.yaml
+++ b/templates/csi-clusterrolebinding.yaml
@@ -5,6 +5,7 @@ SPDX-License-Identifier: MPL-2.0
 
 {{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
+{{- if eq (.Values.csi.serviceAccount.createClusterRoleAndBinding | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -22,3 +23,4 @@ subjects:
   name: {{ template "vault.fullname" . }}-csi-provider
   namespace: {{ include "vault.namespace" . }}
 {{- end }}
+{{- end }}
diff --git a/templates/csi-serviceaccount.yaml b/templates/csi-serviceaccount.yaml
index 6327a7b..752e684 100644
--- a/templates/csi-serviceaccount.yaml
+++ b/templates/csi-serviceaccount.yaml
@@ -5,6 +5,7 @@ SPDX-License-Identifier: MPL-2.0
 
 {{- template "vault.csiEnabled" . -}}
 {{- if .csiEnabled -}}
+{{- if eq (.Values.csi.serviceAccount.create | toString) "true" }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -19,3 +20,4 @@ metadata:
     {{- end -}}
   {{ template "csi.serviceAccount.annotations" . }}
 {{- end }}
+{{- end }}
diff --git a/templates/injector-clusterrole.yaml b/templates/injector-clusterrole.yaml
index df603f2..a22bdcc 100644
--- a/templates/injector-clusterrole.yaml
+++ b/templates/injector-clusterrole.yaml
@@ -5,6 +5,7 @@ SPDX-License-Identifier: MPL-2.0
 
 {{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
+{{- if eq (.Values.injector.serviceAccount.createClusterRoleAndBinding | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -28,3 +29,4 @@ rules:
     - "get"
 {{ end }}
 {{ end }}
+{{ end }}
diff --git a/templates/injector-clusterrolebinding.yaml b/templates/injector-clusterrolebinding.yaml
index 82cbce0..273a6dc 100644
--- a/templates/injector-clusterrolebinding.yaml
+++ b/templates/injector-clusterrolebinding.yaml
@@ -5,6 +5,7 @@ SPDX-License-Identifier: MPL-2.0
 
 {{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
+{{- if eq (.Values.injector.serviceAccount.createClusterRoleAndBinding | toString) "true" }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -22,3 +23,4 @@ subjects:
   name: {{ template "vault.fullname" . }}-agent-injector
   namespace: {{ include "vault.namespace" . }}
 {{ end }}
+{{ end }}
diff --git a/templates/injector-serviceaccount.yaml b/templates/injector-serviceaccount.yaml
index 2f91c3d..7548323 100644
--- a/templates/injector-serviceaccount.yaml
+++ b/templates/injector-serviceaccount.yaml
@@ -5,6 +5,7 @@ SPDX-License-Identifier: MPL-2.0
 
 {{- template "vault.injectorEnabled" . -}}
 {{- if .injectorEnabled -}}
+{{- if eq (.Values.injector.serviceAccount.create | toString) "true" }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -16,3 +17,4 @@ metadata:
     app.kubernetes.io/managed-by: {{ .Release.Service }}
   {{ template "injector.serviceAccount.annotations" . }}
 {{ end }}
+{{ end }}
diff --git a/values.yaml b/values.yaml
index 185aad9..eb94f8f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -336,6 +336,10 @@ injector:
 
   # Injector serviceAccount specific config
   serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Specifies whether a ClusterRole and ClusterRoleBinding should be created (if not, cluster administrator is responsible to create them)
+    createClusterRoleAndBinding: true  
     # Extra annotations to attach to the injector serviceAccount
     annotations: {}
 
@@ -988,6 +992,8 @@ server:
     # The name of the service account to use.
     # If not set and create is true, a name is generated using the fullname template
     name: ""
+    # Specifies whether a ClusterRoleBinding should be created (if not, cluster administrator is responsible to create them)
+    createClusterRoleBinding: true    
     # Create a Secret API object to store a non-expiring token for the service account.
     # Prior to v1.24.0, Kubernetes used to generate this secret for each service account by default.
     # Kubernetes now recommends using short-lived tokens from the TokenRequest API or projected volumes instead if possible.
@@ -1218,6 +1224,10 @@ csi:
   priorityClassName: ""
 
   serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+    # Specifies whether a ClusterRole and ClusterRoleBinding should be created (if not, cluster administrator is responsible to create them)
+    createClusterRoleAndBinding: true  
     # Extra annotations for the serviceAccount definition. This can either be
     # YAML or a YAML-formatted multi-line templated string map of the
     # annotations to apply to the serviceAccount.

Additional context
Similar problem reported/commented in old issue #327 and discussion.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions