From 30e9d8e9848c251e3ca4d75ac4d69fef7d441997 Mon Sep 17 00:00:00 2001 From: Debakel Orakel Date: Mon, 13 Jan 2025 11:28:31 +0100 Subject: [PATCH] Fix aggregated ClusterRoles missing With the migration to the kustomize rendering, the ClusterRoles used for users of VPA are missing. --- component/main.jsonnet | 56 ++++++++++++++++++ .../20_aggregated_rbac.yaml | 59 +++++++++++++++++++ .../20_aggregated_rbac.yaml | 59 +++++++++++++++++++ 3 files changed, 174 insertions(+) create mode 100644 tests/golden/defaults/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml create mode 100644 tests/golden/full/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml diff --git a/component/main.jsonnet b/component/main.jsonnet index 6a2c565..33fc765 100644 --- a/component/main.jsonnet +++ b/component/main.jsonnet @@ -79,9 +79,65 @@ local vpa_resources() = [ for name in std.objectFields(params.autoscaler) ]; +local vpa_aggregated_roles = [ + kube.ClusterRole('syn:vertical-pod-autoscaler:view') { + metadata+: { + labels+: { + 'rbac.authorization.k8s.io/aggregate-to-admin': 'true', + 'rbac.authorization.k8s.io/aggregate-to-edit': 'true', + 'rbac.authorization.k8s.io/aggregate-to-view': 'true', + 'rbac.authorization.k8s.io/aggregate-to-cluster-reader': 'true', + }, + }, + rules: [ + { + apiGroups: [ 'autoscaling.k8s.io' ], + resources: [ 'verticalpodautoscalers' ], + verbs: [ 'get', 'list', 'watch' ], + }, + ], + }, + kube.ClusterRole('syn:vertical-pod-autoscaler:edit') { + metadata+: { + labels+: { + 'rbac.authorization.k8s.io/aggregate-to-admin': 'true', + 'rbac.authorization.k8s.io/aggregate-to-edit': 'true', + }, + }, + rules: [ + { + apiGroups: [ 'autoscaling.k8s.io' ], + resources: [ 'verticalpodautoscalers' ], + verbs: [ + 'create', + 'delete', + 'deletecollection', + 'patch', + 'update', + ], + }, + ], + }, + kube.ClusterRole('syn:vertical-pod-autoscaler:cluster-reader') { + metadata+: { + labels+: { + 'rbac.authorization.k8s.io/aggregate-to-cluster-reader': 'true', + }, + }, + rules: [ + { + apiGroups: [ 'autoscaling.k8s.io' ], + resources: [ 'verticalpodautoscalercheckpoints' ], + verbs: [ 'get', 'list', 'watch' ], + }, + ], + }, +]; + // Define outputs below { '00_namespace': namespace, + '20_aggregated_rbac': vpa_aggregated_roles, [if params.allow_autoscaling then '50_vpa_certs']: [ cert_manager_issuer, cert_manager_cert ], [if std.length(params.autoscaler) > 0 then '60_vpa_resources']: vpa_resources(), diff --git a/tests/golden/defaults/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml b/tests/golden/defaults/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml new file mode 100644 index 0000000..6f74e18 --- /dev/null +++ b/tests/golden/defaults/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml @@ -0,0 +1,59 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-vertical-pod-autoscaler-view + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: syn:vertical-pod-autoscaler:view +rules: + - apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-vertical-pod-autoscaler-edit + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + name: syn:vertical-pod-autoscaler:edit +rules: + - apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-vertical-pod-autoscaler-cluster-reader + rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' + name: syn:vertical-pod-autoscaler:cluster-reader +rules: + - apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalercheckpoints + verbs: + - get + - list + - watch diff --git a/tests/golden/full/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml b/tests/golden/full/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml new file mode 100644 index 0000000..6f74e18 --- /dev/null +++ b/tests/golden/full/vertical-pod-autoscaler/vertical-pod-autoscaler/20_aggregated_rbac.yaml @@ -0,0 +1,59 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-vertical-pod-autoscaler-view + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + rbac.authorization.k8s.io/aggregate-to-view: 'true' + name: syn:vertical-pod-autoscaler:view +rules: + - apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-vertical-pod-autoscaler-edit + rbac.authorization.k8s.io/aggregate-to-admin: 'true' + rbac.authorization.k8s.io/aggregate-to-edit: 'true' + name: syn:vertical-pod-autoscaler:edit +rules: + - apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalers + verbs: + - create + - delete + - deletecollection + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: {} + labels: + name: syn-vertical-pod-autoscaler-cluster-reader + rbac.authorization.k8s.io/aggregate-to-cluster-reader: 'true' + name: syn:vertical-pod-autoscaler:cluster-reader +rules: + - apiGroups: + - autoscaling.k8s.io + resources: + - verticalpodautoscalercheckpoints + verbs: + - get + - list + - watch