chore: suuport define policy rules in values

apecloud · Jan 23, 2025 · 92f742f · 92f742f
1 parent 532406f
commit 92f742f
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 2 deletions.
diff --git a/apis/apps/v1/componentdefinition_types.go b/apis/apps/v1/componentdefinition_types.go
@@ -489,6 +489,8 @@ type ComponentDefinitionSpec struct {
 	// for the Component based on the specified policy rules.
 	// This ensures that the Pods in the Component has appropriate permissions to function.
 	//
+	// To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+	//
 	// This field is immutable.
 	//
 	// +optional

diff --git a/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml b/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml
@@ -8331,6 +8331,9 @@ spec:
                   This ensures that the Pods in the Component has appropriate permissions to function.
 
 
+                  To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+
+
                   This field is immutable.
                 items:
                   description: |-

diff --git a/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml b/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml
@@ -8331,6 +8331,9 @@ spec:
                   This ensures that the Pods in the Component has appropriate permissions to function.
 
 
+                  To prevent privilege escalation, only permissions already owned by Kubeblocks can be added here.
+
+
                   This field is immutable.
                 items:
                   description: |-

diff --git a/deploy/helm/templates/rbac/rbac_manager_additaional_role.yaml b/deploy/helm/templates/rbac/rbac_manager_additaional_role.yaml
@@ -0,0 +1,21 @@
+{{- if .Values.rbac.enabled }}
+# Additional role that is required for addons. Can be defined by user.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "kubeblocks.fullname" . }}-rbac-manager-role
+  labels:
+    {{- include "kubeblocks.labels" . | nindent 4 }}
+rules:
+# rabbitmq needs this
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+# user defined rules
+{{- with .Values.rbac.additionalPolicyRules }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -69,10 +69,15 @@ fullnameOverride: ""
 ##
 ## If it is set to false, then you will need to create the service account
 ## named `cluster.ComponentSpec.ServiceAccountName` and the corresponding (cluster) role binding
-## manually or through the cluster's Helm template, as shown in the example:
-##   helm install mysql apecloud-mysql-cluster
+## manually.
+##
+## @param rbac.additionalPolicyRules
+## In your Componentdefinition CR's `policyRules` field, you can only define rules kubeblocks
+## already has. If you want to define a rule that kubeblocks does not have, you can add it here. 
+## This field is `[]rbacv1.PolicyRule`.
 rbac:
   enabled: true
+  additionalPolicyRules: []
 
 ## Deployment update strategy.
 ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy