fix: disable ClusterRole and ClusterRoleBinding when not needed

traefik · Oct 19, 2023 · 14d4895 · 14d4895
1 parent 1cc6271
commit 14d4895
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 2 deletions.
diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.enabled -}}
+{{- if and .Values.rbac.enabled (or .Values.providers.kubernetesIngress.enabled (not .Values.rbac.namespaced)) -}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/traefik/templates/rbac/clusterrolebinding.yaml b/traefik/templates/rbac/clusterrolebinding.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.rbac.enabled -}}
+{{- if and .Values.rbac.enabled (or .Values.providers.kubernetesIngress.enabled (not .Values.rbac.namespaced)) -}}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -85,6 +85,20 @@ tests:
           path: metadata.name
           pattern: ^.*-NAMESPACE$
         template: rbac/clusterrolebinding.yaml
+  - it: should not create cluster scoped RBAC related objects when namespaced and not using ingressclass
+    set:
+      rbac:
+        namespaced: true
+      providers:
+        kubernetesIngress:
+          enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+        template: rbac/clusterrole.yaml
+      - hasDocuments:
+          count: 0
+        template: rbac/clusterrolebinding.yaml
 
   - it: should use existing ServiceAccount
     set: