fix: rbac creation is inconsistent for admission webhook

see https://gravitee.atlassian.net/browse/GKO-951 see https://gravitee.atlassian.net/browse/GKO-952 (cherry picked from commit 8fedc93)
gravitee-io · Jan 24, 2025 · 00608c1 · 00608c1
1 parent c38c46e
commit 00608c1
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 29 deletions.
diff --git a/helm/gko/templates/_helpers.tpl b/helm/gko/templates/_helpers.tpl
@@ -124,7 +124,7 @@ Create the name of the service account to use
  Create the name of the manager role for Validation Webhook patch
  */}}
 {{- define "rbac.AdmissionWebhookRoleName" -}}
-   {{ template "rbac.serviceAccountName" . }}-validation-webhook-role
+   {{ template "rbac.serviceAccountName" . }}-validation-webhook-cluster-role
 {{- end }}
 
 {{/*
@@ -174,4 +174,4 @@ Create the name of the service account to use
  */}}
 {{- define "ingress.Classes" -}}
 {{- join "," .Values.ingress.ingressClasses }}
-{{- end -}}
+{{- end -}}
diff --git a/.../rbac/admission-webhook-role-binding.yaml → ...mission-webhook-cluster-role-binding.yaml b/.../rbac/admission-webhook-role-binding.yaml → ...mission-webhook-cluster-role-binding.yaml
@@ -14,9 +14,10 @@
 
 {{- if .Values.rbac.create }}
 {{- if .Values.manager.webhook.enabled }}
+{{- if not .Values.rbac.skipClusterRoles }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+kind: ClusterRoleBinding
 metadata:
   name: {{ template "rbac.AdmissionWebhookRoleBindingName" . }}
   namespace: '{{ .Release.Namespace }}'
@@ -30,11 +31,12 @@ metadata:
     meta.helm.sh/release-namespace: {{ .Release.Namespace }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
+  kind: ClusterRole
   name: {{ template "rbac.AdmissionWebhookRoleName" . }}
 subjects:
   - kind: ServiceAccount
     name: {{ template "rbac.serviceAccountName" . }}
     namespace: '{{ .Release.Namespace }}'
 {{- end }}
 {{- end }}
+{{- end }}
diff --git a/...emplates/rbac/admission-webhook-role.yaml → .../rbac/admission-webhook-cluster-role.yaml b/...emplates/rbac/admission-webhook-role.yaml → .../rbac/admission-webhook-cluster-role.yaml
@@ -14,9 +14,10 @@
 
 {{- if .Values.rbac.create }}
 {{- if .Values.manager.webhook.enabled }}
+{{- if not .Values.rbac.skipClusterRoles }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
   name: {{ template "rbac.AdmissionWebhookRoleName" . }}
   namespace: '{{ .Release.Namespace }}'
@@ -33,9 +34,20 @@ rules:
       - admissionregistration.k8s.io
     resources:
       - validatingwebhookconfigurations
+    verbs:
+      - get
+      - update
+    resourceNames:
+      - gko-validating-webhook-configurations
+  - apiGroups:
+      - admissionregistration.k8s.io
+    resources:
       - mutatingwebhookconfigurations
     verbs:
       - get
       - update
+    resourceNames:
+      - gko-mutating-webhook-configurations
+{{- end }}
 {{- end }}
 {{- end }}
diff --git a/helm/gko/templates/rbac/resource-patch-cluster-role.yaml b/helm/gko/templates/rbac/resource-patch-cluster-role.yaml
@@ -29,24 +29,6 @@ metadata:
     meta.helm.sh/release-name: {{ .Release.Name }}
     meta.helm.sh/release-namespace: {{ .Release.Namespace }}
 rules:
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - validatingwebhookconfigurations
-    verbs:
-      - get
-      - update
-    resourceNames:
-      - gko-validating-webhook-configurations
-  - apiGroups:
-      - admissionregistration.k8s.io
-    resources:
-      - mutatingwebhookconfigurations
-    verbs:
-      - get
-      - update
-    resourceNames:
-      - gko-mutating-webhook-configurations
   - apiGroups:
       - apiextensions.k8s.io
     resources:

diff --git a/...validation-webhook-role-binding_test.yaml → ...on-webhook-cluster-role-binding_test.yaml b/...validation-webhook-role-binding_test.yaml → ...on-webhook-cluster-role-binding_test.yaml
@@ -14,19 +14,19 @@
 
 suite: validation webhook role binding
 templates:
-  - "rbac/admission-webhook-role-binding.yaml"
+  - "rbac/admission-webhook-cluster-role-binding.yaml"
 tests:
   - it: Should have role binding
     asserts:
       - hasDocuments:
           count: 1
       - isKind:
-          of: RoleBinding
+          of: ClusterRoleBinding
       - isAPIVersion:
           of: rbac.authorization.k8s.io/v1
       - equal:
           path: metadata.name
-          value: gko-controller-manager-validation-webhook-role-binding
+          value: gko-controller-manager-validation-webhook-cluster-role-binding
       - equal:
           path: metadata.namespace
           value: NAMESPACE

diff --git a/...ts/rbac/validation-webhook-role_test.yaml → ...validation-webhook-cluster-role_test.yaml b/...ts/rbac/validation-webhook-role_test.yaml → ...validation-webhook-cluster-role_test.yaml
@@ -14,19 +14,19 @@
 
 suite: validation webhook role
 templates:
-  - "rbac/admission-webhook-role.yaml"
+  - "rbac/admission-webhook-cluster-role.yaml"
 tests:
   - it: Should have role
     asserts:
       - hasDocuments:
           count: 1
       - isKind:
-          of: Role
+          of: ClusterRole
       - isAPIVersion:
           of: rbac.authorization.k8s.io/v1
       - equal:
           path: metadata.name
-          value: gko-controller-manager-validation-webhook-role
+          value: gko-controller-manager-validation-webhook-cluster-role
       - equal:
           path: metadata.namespace
           value: NAMESPACE