Skip to content

(helm/v2-alpha): disable cluster wide rbac resource creation #5505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Allex1 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

(helm/v2-alpha): disable cluster wide rbac resource creation #5505

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/book/src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/manager-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.rbac.clusterScope.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down Expand Up @@ -47,3 +48,4 @@ rules:
- get
- patch
- update
{{- end }}
2 changes: 2 additions & 0 deletions .../src/cronjob-tutorial/testdata/project/dist/chart/templates/rbac/manager-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.rbac.clusterScope.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -15,3 +16,4 @@ subjects:
- kind: ServiceAccount
name: {{ include "project.resourceName" (dict "suffix" "controller-manager" "context" $) }}
namespace: {{ .Release.Namespace }}
{{- end }}
11 changes: 11 additions & 0 deletions docs/book/src/cronjob-tutorial/testdata/project/dist/chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,17 @@ manager:
##
tolerations: []

## RBAC configuration
##
rbac:
## Cluster-scoped RBAC resources (ClusterRole/ClusterRoleBinding)
##
clusterScope:
# Set to false to skip cluster-scoped RBAC, useful when the operator
# should be restricted to a single namespace or when cluster-wide
# permissions are managed externally.
enabled: true

## Helper RBAC roles for managing custom resources
##
rbacHelpers:
Expand Down
2 changes: 2 additions & 0 deletions docs/book/src/getting-started/testdata/project/dist/chart/templates/rbac/manager-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.rbac.clusterScope.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down Expand Up @@ -56,3 +57,4 @@ rules:
verbs:
- create
- patch
{{- end }}
2 changes: 2 additions & 0 deletions ...k/src/getting-started/testdata/project/dist/chart/templates/rbac/manager-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.rbac.clusterScope.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -15,3 +16,4 @@ subjects:
- kind: ServiceAccount
name: {{ include "project.resourceName" (dict "suffix" "controller-manager" "context" $) }}
namespace: {{ .Release.Namespace }}
{{- end }}
11 changes: 11 additions & 0 deletions docs/book/src/getting-started/testdata/project/dist/chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,17 @@ manager:
##
tolerations: []

## RBAC configuration
##
rbac:
## Cluster-scoped RBAC resources (ClusterRole/ClusterRoleBinding)
##
clusterScope:
# Set to false to skip cluster-scoped RBAC, useful when the operator
# should be restricted to a single namespace or when cluster-wide
# permissions are managed externally.
enabled: true

Copy link
Member

@camilamacedo86 camilamacedo86 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have either :

## Helper RBAC roles for managing custom resources
##
rbacHelpers:
  # Install convenience admin/editor/viewer roles for CRDs
  enable: false

So, should we have rbac:
Then, insde helpers and default for example instead?

How that would work when the solution is scaffold with the namespaced flag and the RBAC are not cluster scopes? How the Helm Chart would be in this case?

Copy link
Author

@Allex1 Allex1 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@camilamacedo86 I could reuse the rbacHelpers.enabled for the main clusterrole/crb if that's what you're asking. The problem right now is that you can only generate helm charts only for cluster admins.

Copy link
Member

@camilamacedo86 camilamacedo86 Feb 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see I am think in a way to make it generic enough and address this need.
Could you give me 1 to 2 weeks? I will push that and you can help us to know if that is a good approach. Your collab is very required and welcome btw.

## Helper RBAC roles for managing custom resources
##
rbacHelpers:
Expand Down
2 changes: 2 additions & 0 deletions ...ok/src/multiversion-tutorial/testdata/project/dist/chart/templates/rbac/manager-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.rbac.clusterScope.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
Expand Down Expand Up @@ -47,3 +48,4 @@ rules:
- get
- patch
- update
{{- end }}
2 changes: 2 additions & 0 deletions ...multiversion-tutorial/testdata/project/dist/chart/templates/rbac/manager-rolebinding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
{{- if .Values.rbac.clusterScope.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
Expand All @@ -15,3 +16,4 @@ subjects:
- kind: ServiceAccount
name: {{ include "project.resourceName" (dict "suffix" "controller-manager" "context" $) }}
namespace: {{ .Release.Namespace }}
{{- end }}
11 changes: 11 additions & 0 deletions docs/book/src/multiversion-tutorial/testdata/project/dist/chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,17 @@ manager:
##
tolerations: []

## RBAC configuration
##
rbac:
## Cluster-scoped RBAC resources (ClusterRole/ClusterRoleBinding)
##
clusterScope:
# Set to false to skip cluster-scoped RBAC, useful when the operator
# should be restricted to a single namespace or when cluster-wide
# permissions are managed externally.
enabled: true

## Helper RBAC roles for managing custom resources
##
rbacHelpers:
Expand Down
7 changes: 6 additions & 1 deletion pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1491,7 +1491,12 @@ func (t *HelmTemplater) addConditionalWrappers(yamlContent string, resource *uns
// Metrics RBAC depends on metrics being enabled
return fmt.Sprintf("{{- if .Values.metrics.enable }}\n%s{{- end }}\n", yamlContent)
}
// Essential RBAC (controller-manager, leader-election, manager roles) - always enabled
// Cluster-scoped RBAC (ClusterRole/ClusterRoleBinding) - conditional on rbac.clusterScope
// This allows operators to be deployed without cluster-wide permissions when needed
if kind == kindClusterRole || kind == kindClusterRoleBinding {
return fmt.Sprintf("{{- if .Values.rbac.clusterScope.enabled }}\n%s{{- end }}\n", yamlContent)
}
// Namespace-scoped RBAC (Role/RoleBinding, ServiceAccount) - always enabled
// These are required for the controller to function properly
return yamlContent
case kind == kindValidatingWebhook || kind == kindMutatingWebhook:
Expand Down
43 changes: 40 additions & 3 deletions pkg/plugins/optional/helm/v2alpha/scaffolds/internal/kustomize/helm_templater_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -394,8 +394,8 @@ metadata:
Expect(result).To(ContainSubstring("{{- end }}"))
})

It("should NOT add conditionals to essential resources", func() {
// Test essential RBAC
It("should add rbac.clusterScope conditional for essential ClusterRole", func() {
// Test essential ClusterRole gets rbac.clusterScope conditional
clusterRoleResource := &unstructured.Unstructured{}
clusterRoleResource.SetAPIVersion("rbac.authorization.k8s.io/v1")
clusterRoleResource.SetKind("ClusterRole")
Expand All @@ -408,7 +408,26 @@ metadata:

result := templater.ApplyHelmSubstitutions(content, clusterRoleResource)

// Should NOT wrap essential RBAC with conditionals
// Should wrap ClusterRole with rbac.clusterScope conditional
Expect(result).To(ContainSubstring("{{- if .Values.rbac.clusterScope.enabled }}"))
Expect(result).To(ContainSubstring("{{- end }}"))
})

It("should NOT add conditionals to namespace-scoped RBAC resources", func() {
// Test namespace-scoped Role does NOT get conditional
roleResource := &unstructured.Unstructured{}
roleResource.SetAPIVersion("rbac.authorization.k8s.io/v1")
roleResource.SetKind("Role")
roleResource.SetName("test-project-leader-election-role")

content := `apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: test-project-leader-election-role`

result := templater.ApplyHelmSubstitutions(content, roleResource)

// Should NOT wrap namespace-scoped Role with conditionals
Expect(result).NotTo(ContainSubstring("{{- if .Values"))
})

Expand Down Expand Up @@ -570,6 +589,24 @@ metadata:
Expect(result).To(ContainSubstring("{{- if .Values.rbacHelpers.enable }}"))
Expect(result).To(ContainSubstring("{{- end }}"))
})

It("should add rbac.clusterScope conditional for essential ClusterRoleBinding", func() {
bindingResource := &unstructured.Unstructured{}
bindingResource.SetAPIVersion("rbac.authorization.k8s.io/v1")
bindingResource.SetKind("ClusterRoleBinding")
bindingResource.SetName("test-project-manager-rolebinding")

content := `apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: test-project-manager-rolebinding`

result := templater.ApplyHelmSubstitutions(content, bindingResource)

// Should wrap ClusterRoleBinding with rbac.clusterScope conditional
Expect(result).To(ContainSubstring("{{- if .Values.rbac.clusterScope.enabled }}"))
Expect(result).To(ContainSubstring("{{- end }}"))
})
})

Context("chart.fullname templating", func() {
Expand Down
13 changes: 12 additions & 1 deletion pkg/plugins/optional/helm/v2alpha/scaffolds/internal/templates/values_basic.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,18 @@ manager:
f.addDeploymentConfig(&buf)

// RBAC configuration
buf.WriteString(`## Helper RBAC roles for managing custom resources
buf.WriteString(`## RBAC configuration
##
rbac:
## Cluster-scoped RBAC resources (ClusterRole/ClusterRoleBinding)
##
clusterScope:
# Set to false to skip cluster-scoped RBAC, useful when the operator
# should be restricted to a single namespace or when cluster-wide
# permissions are managed externally.
enabled: true

## Helper RBAC roles for managing custom resources
##
rbacHelpers:
# Install convenience admin/editor/viewer roles for CRDs
Expand Down
29 changes: 29 additions & 0 deletions pkg/plugins/optional/helm/v2alpha/scaffolds/internal/templates/values_basic_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,9 @@ var _ = Describe("HelmValuesBasic", func() {
Expect(content).To(ContainSubstring("envOverrides: {}"))
Expect(content).To(ContainSubstring("metrics:"))
Expect(content).To(ContainSubstring("prometheus:"))
Expect(content).To(ContainSubstring("rbac:"))
Expect(content).To(ContainSubstring("clusterScope:"))
Expect(content).To(ContainSubstring("enabled: true"))
Expect(content).To(ContainSubstring("rbacHelpers:"))
Expect(content).To(ContainSubstring("imagePullSecrets: []"))
})
Expand Down Expand Up @@ -92,6 +95,9 @@ var _ = Describe("HelmValuesBasic", func() {
Expect(content).To(ContainSubstring("args: []"))
Expect(content).To(ContainSubstring("metrics:"))
Expect(content).To(ContainSubstring("prometheus:"))
Expect(content).To(ContainSubstring("rbac:"))
Expect(content).To(ContainSubstring("clusterScope:"))
Expect(content).To(ContainSubstring("enabled: true"))
Expect(content).To(ContainSubstring("rbacHelpers:"))
Expect(content).To(ContainSubstring("imagePullSecrets: []"))
})
Expand Down Expand Up @@ -320,6 +326,29 @@ var _ = Describe("HelmValuesBasic", func() {
})
})

Context("rbac.clusterScope configuration", func() {
BeforeEach(func() {
valuesTemplate = &HelmValuesBasic{
HasWebhooks: false,
}
valuesTemplate.InjectProjectName("test-project")
err := valuesTemplate.SetTemplateDefaults()
Expect(err).NotTo(HaveOccurred())
})

It("should have rbac.clusterScope.enabled set to true by default", func() {
content := valuesTemplate.GetBody()
Expect(content).To(ContainSubstring("rbac:"))
Expect(content).To(ContainSubstring("clusterScope:"))
Expect(content).To(ContainSubstring("enabled: true"))
})

It("should include description comment for clusterScope", func() {
content := valuesTemplate.GetBody()
Expect(content).To(ContainSubstring("Cluster-scoped RBAC resources"))
})
})

Context("Port configuration", func() {
Context("with default ports", func() {
BeforeEach(func() {
Expand Down
11 changes: 11 additions & 0 deletions testdata/project-v4-with-plugins/dist/chart/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,17 @@ manager:
##
tolerations: []

## RBAC configuration
##
rbac:
## Cluster-scoped RBAC resources (ClusterRole/ClusterRoleBinding)
##
clusterScope:
# Set to false to skip cluster-scoped RBAC, useful when the operator
# should be restricted to a single namespace or when cluster-wide
# permissions are managed externally.
enabled: true
Copy link
Member

@camilamacedo86 camilamacedo86 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here for example we have no cluster scope rules since this sample is namespaced scope.
See; https://book.kubebuilder.io/migration/namespace-scoped.html

Copy link
Author

@Allex1 Allex1 Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, that could be useful but what I'm trying to achieve is having generated helm charts templates for clickhouse-operator that can work for both cluster admins and name-spaced users.


## Helper RBAC roles for managing custom resources
##
rbacHelpers:
Expand Down