Adds support for allowed-namespaces to kubetail chart (#45)

charts/kubetail/Chart.yaml

@@ -8,8 +8,8 @@ keywords:
 - private
 - realtime
 type: application
-version: 0.4.5
-appVersion: "0.4.6"
+version: 0.5.0
+appVersion: "0.5.1"
 home: https://github.com/kubetail-org/kubetail
 maintainers:
 - email: andres@kubetail.com

charts/kubetail/README.md

@@ -56,6 +56,7 @@ These are the configurable parameters for the kubetail chart and their default v
 |                                                        |          |                                        |                   |
 | KUBETAIL:                                              |          |                                        |                   |
 | `kubetail.authMode`                                    | string   | Auth mode (token, cluster, local)      | "cluster"         |
+| `kubetail.allowedNamespaces`                           | array    | Restricted namespaces                  | []                |
 | `kubetail.config`                                      | string   | Kubetail dashboard config contents     | *See values.yaml* |
 | `kubetail.image.registry`                              | string   | Image registry                         | docker.io         |
 | `kubetail.image.repository`                            | string   | Image repository                       | kubetail/kubetail |

charts/kubetail/templates/_helpers.tpl

@@ -79,6 +79,13 @@ ClusterRole name
 {{ if .Values.kubetail.clusterRole.name }}{{ .Values.kubetail.clusterRole.name }}{{ else }}{{ include "kubetail.fullname" . }}{{ end }}
 {{- end }}
 
+{{/*
+Role name
+*/}}
+{{- define "kubetail.roleName" -}}
+{{ if .Values.kubetail.role.name }}{{ .Values.kubetail.role.name }}{{ else }}{{ include "kubetail.fullname" . }}{{ end }}
+{{- end }}
+
 {{/*
 ConfigMap name
 */}}
@@ -113,6 +120,10 @@ Kubetail config
 {{- define "kubetail.config" -}}
 addr: :{{ .Values.kubetail.podTemplate.port }}
 auth-mode: {{ .Values.kubetail.authMode }}
+{{- with .Values.kubetail.allowedNamespaces }}
+allowed-namespaces: 
+{{- toYaml . | nindent 0 }}
+{{- end }}
 {{- with .Values.kubetail.config }}
 {{- tpl . $ | nindent 0 }}
 {{- end }}

charts/kubetail/templates/rbac.yaml

@@ -0,0 +1,95 @@
+{{- if eq .Values.kubetail.authMode "cluster" }}
+{{- $cr := index .Values "kubetail" "clusterRole" -}}
+{{- $crb := index .Values "kubetail" "clusterRoleBinding" -}}
+{{- $r := index .Values "kubetail" "role" -}}
+{{- $rb := index .Values "kubetail" "roleBinding" -}}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $cr.name | default (include "kubetail.fullname" .) }}
+  labels:
+    {{- include "kubetail.labels" . | nindent 4 }}
+    {{- with $cr.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with $cr.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+rules:
+{{- if .Values.kubetail.allowedNamespaces }}
+- apiGroups: [""]
+  resources: [namespaces, nodes]
+  verbs: [get, list, watch]
+{{- else }}
+- apiGroups: ["", apps, batch]
+  resources: [cronjobs, daemonsets, deployments, jobs, namespaces, nodes, pods, pods/log, replicasets, statefulsets]
+  verbs: [get, list, watch]
+{{- end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $crb.name | default (include "kubetail.fullname" .) }}
+  labels:
+    {{- include "kubetail.labels" . | nindent 4 }}
+    {{- with $crb.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with $crb.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kubetail.clusterRoleName" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubetail.serviceAccountName" . }}
+  namespace: {{ include "kubetail.namespace" . }}
+{{- range .Values.kubetail.allowedNamespaces }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: {{ . }}
+  name: {{ include "kubetail.roleName" $ }}
+  labels:
+    {{- include "kubetail.labels" $ | nindent 4 }}
+    {{- with $r.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with $r.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+rules:
+- apiGroups: ["", apps, batch]
+  resources: [cronjobs, daemonsets, deployments, jobs, pods, pods/log, replicasets, statefulsets]
+  verbs: [get, list, watch]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: {{ . }}
+  name: {{ $rb.name | default (include "kubetail.fullname" $) }}
+  labels:
+    {{- include "kubetail.labels" $ | nindent 4 }}
+    {{- with $rb.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    {{- with $rb.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kubetail.roleName" $ }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kubetail.serviceAccountName" $ }}
+  namespace: {{ include "kubetail.namespace" $ }}
+{{- end }}
+{{- end }}

charts/kubetail/values.yaml

@@ -25,6 +25,9 @@ kubetail:
   # - local: Uses local kubectl config
   authMode: cluster
 
+  # --- Restrict namespaces
+  allowedNamespaces: []
+
   # -- config file contents (see https://github.com/kubetail-org/kubetail for defaults)
   config: |
     session:
@@ -168,6 +171,22 @@ kubetail:
     # -- Tolerations
     tolerations: []
 
+  role:
+    # -- Overrides Role resources' name whose default is the chart's computed fullname
+    name: null
+    # -- Additional annotations
+    annotations: {}
+    # -- Additional labels
+    labels: {}
+
+  roleBinding:
+    # -- Overrides the RoleBinding resources' name whose default is the chart's computed fullname
+    name: null
+    # -- Additional annotations
+    annotations: {}
+    # -- Additional labels
+    labels: {}
+
   secret:
     # If true, add Secret resource with configured values
     enabled: true