chart: Restricting the RBAC rules on secrets (#2265)

Co-authored-by: Waldek Herka <wherka-ama@users.noreply.github.com> Co-authored-by: Yusuke Kuoka <ykuoka@gmail.com>
2023-03-28 01:43:33 +02:00 · 2023-03-28 01:43:33 +02:00 · 13802c5a6d
parent 362fa5d52e
commit 13802c5a6d
5 changed files with 52 additions and 15 deletions
--- a/acceptance/deploy.sh
+++ b/acceptance/deploy.sh
@ -61,6 +61,9 @@ if [ "${tool}" == "helm" ]; then
    flags+=( --set githubWebhookServer.imagePullSecrets[0].name=${IMAGE_PULL_SECRET})
    flags+=( --set actionsMetricsServer.imagePullSecrets[0].name=${IMAGE_PULL_SECRET})
  fi
+  if [ "${WATCH_NAMESPACE}" != "" ]; then
+    flags+=( --set watchNamespace=${WATCH_NAMESPACE} --set singleNamespace=true)
+  fi
  if [ "${CHART_VERSION}" != "" ]; then
    flags+=( --version ${CHART_VERSION})
  fi
--- a/charts/actions-runner-controller/templates/manager_role.yaml
+++ b/charts/actions-runner-controller/templates/manager_role.yaml
@ -250,14 +250,6 @@ rules:
  - patch
  - update
  - watch
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - watch
 {{- if .Values.runner.statusUpdateHook.enabled }}
 - apiGroups:
  - ""
@ -311,11 +303,4 @@ rules:
  - list
  - create
  - delete
- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - create
-  - delete
 {{- end }}
--- a/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_binding_secrets.yaml
@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.scope.singleNamespace }}
+kind: RoleBinding
+{{- else }}
+kind: ClusterRoleBinding
+{{- end }}
+metadata:
+  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  {{- if .Values.scope.singleNamespace }}
+  kind: Role
+  {{- else }}
+  kind: ClusterRole
+  {{- end }}
+  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
+subjects:
+- kind: ServiceAccount
+  name: {{ include "actions-runner-controller.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
--- a/charts/actions-runner-controller/templates/manager_role_secrets.yaml
+++ b/charts/actions-runner-controller/templates/manager_role_secrets.yaml
@ -0,0 +1,24 @@
+apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.scope.singleNamespace }}
+kind: Role
+{{- else }}
+kind: ClusterRole
+{{- end }}
+metadata:
+  creationTimestamp: null
+  name: {{ include "actions-runner-controller.managerRoleName" . }}-secrets
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
+{{- if .Values.rbac.allowGrantingKubernetesContainerModePermissions }}
+{{/* These permissions are required by ARC to create RBAC resources for the runner pod to use the kubernetes container mode. */}}
+{{/* See https://github.com/actions/actions-runner-controller/pull/1268/files#r917331632 */}}
+  - create
+  - delete
+{{- end }}
--- a/test/e2e/e2e_test.go
+++ b/test/e2e/e2e_test.go
@ -416,6 +416,7 @@ type env struct {
 	admissionWebhooksTimeout                    string
 	imagePullSecretName                         string
 	imagePullPolicy                             string
+	watchNamespace                              string

 	vars          vars
 	VerifyTimeout time.Duration
@ -558,6 +559,8 @@ func initTestEnv(t *testing.T, k8sMinorVer string, vars vars) *env {
 		e.imagePullPolicy = "IfNotPresent"
 	}

+	e.watchNamespace = testing.Getenv(t, "TEST_WATCH_NAMESPACE", "")
+
 	if e.remoteKubeconfig == "" {
 		e.Kind = testing.StartKind(t, k8sMinorVer, testing.Preload(images...))
 		e.Env.Kubeconfig = e.Kind.Kubeconfig()
@ -729,6 +732,7 @@ func (e *env) installActionsRunnerController(t *testing.T, repo, tag, testID, ch
 		"ADMISSION_WEBHOOKS_TIMEOUT=" + e.admissionWebhooksTimeout,
 		"IMAGE_PULL_SECRET=" + e.imagePullSecretName,
 		"IMAGE_PULL_POLICY=" + e.imagePullPolicy,
+		"WATCH_NAMESPACE=" + e.watchNamespace,
 	}

 	if e.useApp {