feature: allow users to opt out of cluster scoped RBAC (#48)

Goldpinger optionally searches for Pods in every namespace, but used to
have unconditional cluster scoped RBAC to do so. Combined with the fact
that it's role refers to an unrestricted PSP, users should be able to
opt out of this cluster scoped binding.

This commit does a couple of things:
- splits `podsecuritypolicy.yaml` into `role.yaml` and
  `rolebinding.yaml`, so it's more like its cluster scoped equivalents
- make both cluster scoped as namespaced role/-binding optional

Signed-off-by: Jorik Jonker <[email protected]>

charts/goldpinger/Chart.yaml

@@ -11,4 +11,4 @@ name: goldpinger
 sources:
   - https://github.com/bloomberg/goldpinger
   - https://github.com/okgolove/helm-charts
-version: 5.0.0
+version: 5.0.1

charts/goldpinger/README.md

@@ -49,7 +49,8 @@ The following table lists the configurable parameters of the Goldpinger chart an
 | `image.repository`             | Goldpinger image                             | `bloomberg/goldpinger` |
 | `image.tag`                    | Goldpinger image tag                         | `3.2.0`                |
 | `pullPolicy`                   | Image pull policy                            | `IfNotPresent`         |
-| `rbac.create`                  | Install required rbac clusterrole            | `true`                 |
+| `rbac.create`                  | Install required rbac resources              | `true`                 |
+| `rbac.clusterscoped`           | Install optional cluster scoped rbac         | `true`                 |
 | `serviceAccount.create`        | Enable ServiceAccount creation               | `true`                 |
 | `serviceAccount.name`          | ServiceAccount for Goldpinger pods           | `default`              |
 | `goldpinger.port`              | Goldpinger app port listen to                | `80`                   |

charts/goldpinger/templates/clusterrole.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if and .Values.rbac.create .Values.rbac.clusterscoped }}
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

charts/goldpinger/templates/clusterrolebinding.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.rbac.create }}
+{{- if and .Values.rbac.create .Values.rbac.clusterscoped }}
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

charts/goldpinger/templates/role.yaml

@@ -0,0 +1,21 @@
+{{- if or .Values.podSecurityPolicy.enabled (not .Values.rbac.clusterscoped) }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "goldpinger.fullname" . }}-pod-security-policy
+  labels:
+    {{- include "goldpinger.labels" . | nindent 4 }}
+rules:
+{{- if not .Values.rbac.clusterscoped }}
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["list"]
+{{- end }}
+{{- if .Values.podSecurityPolicy.enabled }}
+- apiGroups: ["extensions"]
+  resources: ["podsecuritypolicies"]
+  resourceNames: [{{ .Values.podSecurityPolicy.policyName | quote }}]
+  verbs: ["use"]
+{{- end }}
+{{- end }}

charts/goldpinger/templates/podsecuritypolicy.yaml → charts/goldpinger/templates/rolebinding.yaml

@@ -1,17 +1,4 @@
-{{- if .Values.podSecurityPolicy.enabled }}
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ include "goldpinger.fullname" . }}-pod-security-policy
-  labels:
-    {{- include "goldpinger.labels" . | nindent 4 }}
-rules:
-- apiGroups: ["extensions"]
-  resources: ["podsecuritypolicies"]
-  resourceNames: [{{ .Values.podSecurityPolicy.policyName | quote }}]
-  verbs: ["use"]
----
+{{- if or .Values.podSecurityPolicy.enabled (not .Values.rbac.clusterscoped) }}
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:

charts/goldpinger/values.yaml

@@ -14,6 +14,7 @@ image:
 
 rbac:
   create: true
+  clusterscoped: true
 serviceAccount:
   create: true
   name: