Skip to content

Commit 2ee5d69

Browse files
gregwhorleyBitnami Containersjotamartos
authored
[bitnami/kubernetes-event-exporter] feat: configurable cluster role rules (#20875)
* [bitnami/kubernetes-event-exporter] feat: allow cluster role rules to be configured The cluster role template contains a hardcoded catchall rule which is too broad. Allow the cluster role rules to be overridden by the user with a default value that follows the principle of least privilege. I tested this by: - applying this rule in my own cluster and observing the kubernetes-event-exporter logs to ensure there were no permissions errors thrown - running `helm template -g . --debug` in the chart dir and observing the output Signed-off-by: Gregory Whorley <greg@whorley.com> * bump chart version Signed-off-by: Gregory Whorley <greg@whorley.com> * fix param Signed-off-by: Gregory Whorley <greg@whorley.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * change permissions back to original setting Signed-off-by: Gregory Whorley <greg@whorley.com> --------- Signed-off-by: Gregory Whorley <greg@whorley.com> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Juan José Martos <jotamartos@gmail.com> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Juan José Martos <jotamartos@gmail.com>
1 parent d9ca920 commit 2ee5d69

File tree

4 files changed

+11
-4
lines changed

4 files changed

+11
-4
lines changed

bitnami/kubernetes-event-exporter/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,4 @@ maintainers:
3131
name: kubernetes-event-exporter
3232
sources:
3333
- https://github.com/bitnami/charts/tree/main/bitnami/kubernetes-event-exporter
34-
version: 2.8.3
34+
version: 2.9.0

bitnami/kubernetes-event-exporter/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,7 @@ The command removes all the Kubernetes components associated with the chart and
9393
| `config.receivers` | Array containing event receivers | `[]` |
9494
| `config.route.routes` | Array containing event route configuration | `[]` |
9595
| `rbac.create` | Create the RBAC roles for API accessibility | `true` |
96+
| `rbac.rules` | List of rules for the cluster role | `[]` |
9697
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
9798
| `serviceAccount.name` | Name of the service account to use. If not set and create is true, a name is generated using the fullname template. | `""` |
9899
| `serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `true` |

bitnami/kubernetes-event-exporter/templates/clusterrole.yaml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ metadata:
1313
annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
1414
{{- end }}
1515
rules:
16-
- apiGroups: ["*"]
17-
resources: ["*"]
18-
verbs: ["get", "watch", "list"]
16+
{{- range .Values.rbac.rules }}
17+
- {{ toYaml . | indent 4 | trim }}
18+
{{- end }}
1919
{{- end }}

bitnami/kubernetes-event-exporter/values.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,12 @@ rbac:
133133
## @param rbac.create Create the RBAC roles for API accessibility
134134
##
135135
create: true
136+
## @param rbac.rules [array] List of rules for the cluster role
137+
##
138+
rules:
139+
- apiGroups: ["*"]
140+
resources: ["*"]
141+
verbs: ["get", "watch", "list"]
136142
## Pods Service Account
137143
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
138144
## @param serviceAccount.create Specifies whether a ServiceAccount should be created

0 commit comments

Comments
 (0)