diff --git a/charts/dataplane/templates/operator/configmap.yaml b/charts/dataplane/templates/operator/configmap.yaml index 2b4032ce..8384d401 100644 --- a/charts/dataplane/templates/operator/configmap.yaml +++ b/charts/dataplane/templates/operator/configmap.yaml @@ -81,6 +81,13 @@ data: {{- with .Values.config.operator.secretsWatcher }} secretsWatcher: {{- tpl (toYaml .) $ | nindent 8 }} + {{- if and $.Values.low_privilege (not .namespaces) }} + namespaces: + - {{ $.Release.Namespace }} + {{- if $.Values.controlplaneNamespace }} + - {{ $.Values.controlplaneNamespace }} + {{- end }} + {{- end }} {{- end }} {{- if and (not .Values.config.operator.org) .Values.namespace_mapping }} org: diff --git a/charts/dataplane/templates/operator/serviceaccount.yaml b/charts/dataplane/templates/operator/serviceaccount.yaml index c14a0f15..6b8e7fc3 100644 --- a/charts/dataplane/templates/operator/serviceaccount.yaml +++ b/charts/dataplane/templates/operator/serviceaccount.yaml @@ -78,6 +78,19 @@ rules: - create - update - delete + {{- end }} + {{- if .Values.config.operator.secretsWatcher.enabled }} + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - list + - watch + - update + - patch {{- end }} {{- end }} --- @@ -95,6 +108,53 @@ subjects: - kind: ServiceAccount name: {{ include "operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} +{{- if and .Values.low_privilege .Values.config.operator.secretsWatcher.enabled .Values.controlplaneNamespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ $roleName }}-secrets-watcher + namespace: {{ .Values.controlplaneNamespace }} + labels: + {{- include "operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + - secrets + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - list + - watch + - update + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ $roleName }}-secrets-watcher + namespace: {{ .Values.controlplaneNamespace }} + labels: + {{- include "operator.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ $roleName }}-secrets-watcher +subjects: + - kind: ServiceAccount + name: {{ include "operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} --- {{- if .Values.low_privilege }} {{- else }} diff --git a/charts/dataplane/values.aws.selfhosted-intracluster.yaml b/charts/dataplane/values.aws.selfhosted-intracluster.yaml index b2a6654d..e72beea5 100644 --- a/charts/dataplane/values.aws.selfhosted-intracluster.yaml +++ b/charts/dataplane/values.aws.selfhosted-intracluster.yaml @@ -597,6 +597,9 @@ flytepropellerwebhook: {} # EKS manages controller-manager, scheduler, etcd, and kube-proxy internally. # Their metrics endpoints are not accessible from within the cluster. +# -- Control plane namespace for cross-namespace RBAC (secretsWatcher). +controlplaneNamespace: "union-cp" + # Disable scraping and alerting rules for these components to avoid # false-positive TargetDown and *Down alerts. monitoring: diff --git a/charts/dataplane/values.gcp.selfhosted-intracluster.yaml b/charts/dataplane/values.gcp.selfhosted-intracluster.yaml index bdc5e9cd..7d20cfa0 100644 --- a/charts/dataplane/values.gcp.selfhosted-intracluster.yaml +++ b/charts/dataplane/values.gcp.selfhosted-intracluster.yaml @@ -463,3 +463,6 @@ flytepropeller: priorityClassName: "" flytepropellerwebhook: {} + +# -- Control plane namespace for cross-namespace RBAC (secretsWatcher). +controlplaneNamespace: "union-cp" diff --git a/charts/dataplane/values.yaml b/charts/dataplane/values.yaml index ce3b6dcd..37e4401a 100644 --- a/charts/dataplane/values.yaml +++ b/charts/dataplane/values.yaml @@ -1666,6 +1666,10 @@ prometheus: # require additional permissions on the cluster. This limits the functionality though. low_privilege: true +# -- Namespace of the control plane (for selfhosted-intracluster mode). +# When set and secretsWatcher is enabled, RBAC roles are created in this namespace for cross-namespace access. +controlplaneNamespace: "" + # -- When enabled, creates a single shared ServiceAccount for all components # (operator, executor, proxy, webhook, fluentbit) instead of individual ones. # Automatically enabled when singleNamespace mode is active.