chart: Restricting the RBAC rules on secrets (#2265)

Co-authored-by: Waldek Herka <wherka-ama@users.noreply.github.com> Co-authored-by: Yusuke Kuoka <ykuoka@gmail.com>
2023-03-28 01:43:33 +02:00 · 2023-03-28 01:43:33 +02:00 · 13802c5a6d
parent 362fa5d52e
commit 13802c5a6d
5 changed files with 52 additions and 15 deletions
--- a/acceptance/deploy.sh
+++ b/acceptance/deploy.sh
@ -61,6 +61,9 @@ if [ "${tool}" == "helm" ]; then
    flags+=( --set githubWebhookServer.imagePullSecrets[0].name=${IMAGE_PULL_SECRET})
    flags+=( --set actionsMetricsServer.imagePullSecrets[0].name=${IMAGE_PULL_SECRET})
  fi
  if [ "${WATCH_NAMESPACE}" != "" ]; then
    flags+=( --set watchNamespace=${WATCH_NAMESPACE} --set singleNamespace=true)
  fi
  if [ "${CHART_VERSION}" != "" ]; then
    flags+=( --version ${CHART_VERSION})
  fi
--- a/charts/actions-runner-controller/templates/manager_role.yaml
+++ b/charts/actions-runner-controller/templates/manager_role.yaml
@ -250,14 +250,6 @@ rules:
  - patch
  - update
  - watch
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
 {{- if .Values.runner.statusUpdateHook.enabled }}
 - apiGroups:
  - ""
@ -311,11 +303,4 @@ rules:
  - list
  - create
  - delete
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - create
  - delete
 {{- end }}
--- a/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
@ -0,0 +1,21 @@
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.scope.singleNamespace }}
 kind: RoleBinding
 {{- else }}
 kind: ClusterRoleBinding
 {{- end }}
 metadata:
  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
  namespace: {{ .Release.Namespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  {{- if .Values.scope.singleNamespace }}
  kind: Role
  {{- else }}
  kind: ClusterRole
  {{- end }}
  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
 subjects:
 - kind: ServiceAccount
  name: {{ include "actions-runner-controller.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
--- a/charts/actions-runner-controller/templates/manager_role_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_secrets.yaml
@ -0,0 +1,24 @@
 apiVersion: rbac.authorization.k8s.io/v1
 {{- if .Values.scope.singleNamespace }}
 kind: Role
 {{- else }}
 kind: ClusterRole
 {{- end }}
 metadata:
  creationTimestamp: null
  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - list
  - watch
 {{- if .Values.rbac.allowGrantingKubernetesContainerModePermissions }}
 {{/* These permissions are required by ARC to create RBAC resources for the runner pod to use the kubernetes container mode. */}}
 {{/* See https://github.com/actions/actions-runner-controller/pull/1268/files#r917331632 */}}
  - create
  - delete
 {{- end }}
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@ -416,6 +416,7 @@ type env struct {
 	admissionWebhooksTimeout                    string
 	imagePullSecretName                         string
 	imagePullPolicy                             string
 	watchNamespace                              string
 	vars          vars
 	VerifyTimeout time.Duration
@ -558,6 +559,8 @@ func initTestEnv(t *testing.T, k8sMinorVer string, vars vars) *env {
 		e.imagePullPolicy = "IfNotPresent"
 	}
 	e.watchNamespace = testing.Getenv(t, "TEST_WATCH_NAMESPACE", "")
 	if e.remoteKubeconfig == "" {
 		e.Kind = testing.StartKind(t, k8sMinorVer, testing.Preload(images...))
 		e.Env.Kubeconfig = e.Kind.Kubeconfig()
@ -729,6 +732,7 @@ func (e *env) installActionsRunnerController(t *testing.T, repo, tag, testID, ch
 		"ADMISSION_WEBHOOKS_TIMEOUT=" + e.admissionWebhooksTimeout,
 		"IMAGE_PULL_SECRET=" + e.imagePullSecretName,
 		"IMAGE_PULL_POLICY=" + e.imagePullPolicy,
 		"WATCH_NAMESPACE=" + e.watchNamespace,
 	}
 	if e.useApp {