Skip to content

Commit

Permalink
feat: readonly console (#2066)
Browse files Browse the repository at this point in the history
  • Loading branch information
@sathieu
sathieu committed Apr 18, 2024
1 parent 509b170 commit c07c650
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 25 deletions.
64 changes: 51 additions & 13 deletions helm/operator/templates/console-clusterrole.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,15 @@ rules:
- secrets
verbs:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- list
- patch
- update
- delete
- deletecollection
{{- end }}
- apiGroups:
- ""
resources:
Expand All @@ -27,79 +29,93 @@ rules:
- nodes
verbs:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- list
- patch
{{- end }}
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- list
- patch
- delete
- deletecollection
{{- end }}
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- deletecollection
- list
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- update
- deletecollection
{{- end }}
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- list
- patch
{{- end }}
- apiGroups:
- apps
resources:
- statefulsets
- deployments
verbs:
- get
- create
- list
- patch
- watch
{{- if not .Values.console.readOnly }}
- create
- patch
- update
- delete
{{- end }}
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- create
- list
- patch
- watch
{{- if not .Values.console.readOnly }}
- create
- patch
- update
- delete
{{- end }}
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
- certificatesigningrequests/approval
- certificatesigningrequests/status
verbs:
- get
- list
{{- if not .Values.console.readOnly }}
- update
- create
- get
- delete
- list
{{- end }}
- apiGroups:
- minio.min.io
resources:
Expand All @@ -111,7 +127,13 @@ rules:
resources:
- '*'
verbs:
{{- if not .Values.console.readOnly }}
- get
- list
- watch
{{- else }}
- '*'
{{- end }}
- apiGroups:
- ""
resources:
Expand All @@ -120,8 +142,10 @@ rules:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- delete
{{- end }}
- apiGroups:
- ""
resources:
Expand All @@ -130,17 +154,21 @@ rules:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- update
{{- end }}
- apiGroups:
- ""
resources:
- events
verbs:
- create
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- update
- patch
{{- end }}
- apiGroups:
- snapshot.storage.k8s.io
resources:
Expand Down Expand Up @@ -179,9 +207,11 @@ rules:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- update
- delete
{{- end }}
- apiGroups:
- coordination.k8s.io
resources:
Expand All @@ -190,9 +220,11 @@ rules:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- update
- delete
{{- end }}
- apiGroups:
- direct.csi.min.io
resources:
Expand All @@ -201,9 +233,11 @@ rules:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- update
- delete
{{- end }}
- apiGroups:
- apiextensions.k8s.io
resources:
Expand All @@ -212,9 +246,11 @@ rules:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- update
- delete
{{- end }}
- apiGroups:
- direct.csi.min.io
resources:
Expand All @@ -224,9 +260,11 @@ rules:
- get
- list
- watch
{{- if not .Values.console.readOnly }}
- create
- update
- delete
{{- end }}
- apiGroups:
- ""
resources:
Expand Down
29 changes: 17 additions & 12 deletions helm/operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ operator:
###
# An array of environment variables to pass to the Operator deployment.
# Pass an empty array to start Operator with defaults.
#
#
# For example:
#
# .. code-block:: yaml
Expand All @@ -21,7 +21,7 @@ operator:
# - name: WATCHED_NAMESPACE
# value: ""
# - name: MINIO_OPERATOR_RUNTIME
# value: "OpenShift"
# value: "OpenShift"
#
# See `Operator environment variables <https://github.com/minio/operator/blob/master/docs/env-variables.md>`__ for a list of all supported values.
# If MINIO_CONSOLE_TLS_ENABLE is enabled, utilize port 9443 for console.ingress.number.
Expand All @@ -34,19 +34,19 @@ operator:
serviceAccountAnnotations: []
###
# Specify the Operator container image to use for the deployment.
# ``image.tag``
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.14 tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
#
# image:
# repository: quay.io/minio/operator
# tag: v5.0.14
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
#
# .. code-block:: yaml
#
# image:
Expand Down Expand Up @@ -102,7 +102,7 @@ operator:
volumes: [ ]
###
# An array of volume mount points associated to each Operator container.
#
#
# Specify each item in the array as follows:
#
# .. code-block:: yaml
Expand Down Expand Up @@ -152,7 +152,7 @@ operator:
# These settings determine the distribution of pods across worker nodes.
topologySpreadConstraints: [ ]
###
#
#
# The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Operator pods.
#
# These settings can control the minimum and maximum resources requested for each pod.
Expand All @@ -173,19 +173,19 @@ console:
enabled: true
###
# Specify the Operator Console container image to use for the deployment.
# ``image.tag``
# ``image.tag``
# For example, the following sets the image to the ``quay.io/minio/operator`` repo and the v5.0.14 tag.
# The container pulls the image if not already present:
#
# .. code-block:: yaml
#
#
# image:
# repository: quay.io/minio/operator
# tag: v5.0.14
# pullPolicy: IfNotPresent
#
# The chart also supports specifying an image based on digest value:
#
#
# .. code-block:: yaml
#
# image:
Expand Down Expand Up @@ -257,7 +257,7 @@ console:
# These settings determine the distribution of pods across worker nodes.
topologySpreadConstraints: [ ]
###
#
#
# The `Requests or Limits <https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/>`__ for resources to associate to Operator Console pods.
#
# These settings can control the minimum and maximum resources requested for each pod.
Expand All @@ -279,6 +279,11 @@ console:
containerSecurityContext:
runAsUser: 1000
runAsNonRoot: true

###
# Forbid write permissions
readOnly: false

###
# Configures `Ingress <https://kubernetes.io/docs/concepts/services-networking/ingress/>`__ for the Operator Console.
#
Expand All @@ -304,7 +309,7 @@ console:
emptyDir: {}
###
# An array of volume mount points associated to each Operator Console container.
#
#
# Specify each item in the array as follows:
#
# .. code-block:: yaml
Expand Down

0 comments on commit c07c650

Please sign in to comment.