align UI chart rbac with operator and update doc

charts/postgres-operator-ui/templates/clusterrole.yaml

@@ -0,0 +1,52 @@
+{{ if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "postgres-operator-ui.serviceAccountName" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
+    helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+rules:
+- apiGroups:
+  - acid.zalan.do
+  resources:
+  - postgresqls
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - namespaces
+  verbs:
+  - get
+  - list
+{{ end }}

charts/postgres-operator-ui/templates/clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+{{ if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "postgres-operator-ui.serviceAccountName" . }}
+  labels:
+    app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
+    helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "postgres-operator-ui.serviceAccountName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "postgres-operator-ui.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+{{ end }}

charts/postgres-operator-ui/templates/deployment.yaml

@@ -20,7 +20,7 @@ spec:
         app.kubernetes.io/instance: {{ .Release.Name }}
         team: "acid" # Parameterize?
     spec:
-      serviceAccountName: {{ template "postgres-operator-ui.name" . }}
+      serviceAccountName: {{ include "postgres-operator-ui.serviceAccountName" . }}
       containers:
         - name: "service"
           image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}"

charts/postgres-operator-ui/templates/serviceaccount.yaml

@@ -1,81 +1,11 @@
+{{ if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: {{ template "postgres-operator-ui.name" . }}
+  name: {{ include "postgres-operator-ui.serviceAccountName" . }}
   labels:
     app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
     helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
     app.kubernetes.io/instance: {{ .Release.Name }}
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ template "postgres-operator-ui.name" . }}
-  labels:
-    app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
-    helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-rules:
-- apiGroups:
-  - acid.zalan.do
-  resources:
-  - postgresqls
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - apps
-  resources:
-  - statefulsets
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - namespaces
-  verbs:
-  - get
-  - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ template "postgres-operator-ui.name" . }}
-  labels:
-    app.kubernetes.io/name: {{ template "postgres-operator-ui.name" . }}
-    helm.sh/chart: {{ template "postgres-operator-ui.chart" . }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ template "postgres-operator-ui.name" . }}
-subjects:
-- kind: ServiceAccount
-# note: the cluster role binding needs to be defined
-# for every namespace the operator-ui service account lives in.
-  name: {{ template "postgres-operator-ui.name" . }}
-  namespace: {{ .Release.Namespace }}
+{{ end }}

charts/postgres-operator-ui/values.yaml

@@ -11,6 +11,17 @@ image:
   tag: v1.2.0
   pullPolicy: "IfNotPresent"
 
+rbac:
+  # Specifies whether RBAC resources should be created
+  create: true
+
+serviceAccount:
+  # Specifies whether a ServiceAccount should be created
+  create: true
+  # The name of the ServiceAccount to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+
 # configure UI pod resources
 resources:
   limits:

charts/postgres-operator/templates/clusterrole-postgres-pod.yaml

@@ -0,0 +1,53 @@
+{{ if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: postgres-pod
+  labels:
+    app.kubernetes.io/name: {{ template "postgres-operator.name" . }}
+    helm.sh/chart: {{ template "postgres-operator.chart" . }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+rules:
+# Patroni needs to watch and manage endpoints
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - deletecollection
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# Patroni needs to watch pods
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+# to let Patroni create a headless service
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+# to run privileged pods
+- apiGroups:
+  - extensions
+  resources:
+  - podsecuritypolicies
+  resourceNames:
+  - privileged
+  verbs:
+  - use
+{{ end }}

charts/postgres-operator/templates/clusterrole.yaml

@@ -178,57 +178,4 @@ rules:
   - list
   - patch
   - update
----
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: postgres-pod
-  labels:
-    app.kubernetes.io/name: {{ template "postgres-operator.name" . }}
-    helm.sh/chart: {{ template "postgres-operator.chart" . }}
-    app.kubernetes.io/managed-by: {{ .Release.Service }}
-    app.kubernetes.io/instance: {{ .Release.Name }}
-rules:
-# Patroni needs to watch and manage endpoints
-- apiGroups:
-  - ""
-  resources:
-  - endpoints
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
-# Patroni needs to watch pods
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-  - patch
-  - update
-  - watch
-# to let Patroni create a headless service
-- apiGroups:
-  - ""
-  resources:
-  - services
-  verbs:
-  - create
-# to run privileged pods
-- apiGroups:
-  - extensions
-  resources:
-  - podsecuritypolicies
-  resourceNames:
-  - privileged
-  verbs:
-  - use
 {{ end }}

charts/postgres-operator/templates/clusterrolebinding.yaml

@@ -14,8 +14,6 @@ roleRef:
   name: {{ include "postgres-operator.serviceAccountName" . }}
 subjects:
 - kind: ServiceAccount
-# note: the cluster role binding needs to be defined
-# for every namespace the postgres-pod service account lives in.
   name: {{ include "postgres-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
 {{ end }}

docs/administrator.md

@@ -99,8 +99,9 @@ access rights.
 
 The manifest [`operator-service-account-rbac.yaml`](../manifests/operator-service-account-rbac.yaml)
 defines the service account, cluster roles and bindings needed for the operator
-to function under access control restrictions. To deploy the operator with this
-RBAC policy use:
+to function under access control restrictions. The file also includes a cluster
+role `postgres-pod` with privileges for Patroni to watch and manage pods and
+endpoints. To deploy the operator with this RBAC policies use:
 
 ```bash
 kubectl create -f manifests/configmap.yaml
@@ -109,13 +110,12 @@ kubectl create -f manifests/postgres-operator.yaml
 kubectl create -f manifests/minimal-postgres-manifest.yaml
 ```
 
-### Namespaced service account and roles
+### Namespaced service account and role binding
 
 For each namespace the operator watches it creates (or reads) a service account
-to be used by the Postgres Pods when a new cluster is deployed. This service
-account is bound to a ClusterRole via RoleBinding, which are also created (or
-read) by the operator. The name and definitions of these resources can be
-[configured](reference/operator_parameters.md#kubernetes-resources).
+and role binding to be used by the Postgres Pods. The service account is bound
+to the `postgres-pod` cluster role. The name and definitions of these resources
+can be [configured](reference/operator_parameters.md#kubernetes-resources).
 Note, that the operator performs **no** further syncing of namespaced service
 accounts and role bindings.
 

ui/manifests/ui-service-account-rbac.yaml

@@ -61,7 +61,5 @@ roleRef:
   name: postgres-operator-ui
 subjects:
 - kind: ServiceAccount
-# note: the cluster role binding needs to be defined
-# for every namespace the operator-ui service account lives in.
   name: postgres-operator-ui
   namespace: default