Merge pull request #8699 from kincoy/vpa-chart-updater-rbac

feat(vpa-chart): support updater rbac

Author: k8s-ci-robot

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/README.md

@@ -100,3 +100,6 @@ The Vertical Pod Autoscaler (VPA) automatically adjusts the CPU and memory resou
 | updater.podAnnotations | object | `{}` |  |
 | updater.podLabels | object | `{}` |  |
 | updater.replicas | int | `1` |  |
+| updater.serviceAccount.annotations | object | `{}` |  |
+| updater.serviceAccount.create | bool | `true` |  |
+| updater.serviceAccount.labels | object | `{}` |  |

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/updater-clusterrole.yaml

@@ -0,0 +1,135 @@
+{{- if and (.Values.updater.enabled) .Values.rbac.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-in-place
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods/resize
+      - pods
+    verbs:
+    - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-actor
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - nodes
+      - limitranges
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+      - events.k8s.io
+    resources:
+      - events
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - patch
+      - update
+  - apiGroups:
+      - "poc.autoscaling.k8s.io"
+    resources:
+      - verticalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "autoscaling.k8s.io"
+    resources:
+      - verticalpodautoscalers
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-evictioner
+rules:
+  - apiGroups:
+      - "apps"
+      - "extensions"
+    resources:
+      - replicasets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods/eviction
+    verbs:
+      - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-target-reader
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*/scale'
+    verbs:
+      - get
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - replicationcontrollers
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - apps
+    resources:
+      - daemonsets
+      - deployments
+      - replicasets
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - batch
+    resources:
+      - jobs
+      - cronjobs
+    verbs:
+      - get
+      - list
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-status-reader
+rules:
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - get
+      - list
+      - watch
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/updater-clusterrolebinding.yaml

@@ -0,0 +1,77 @@
+{{- if and (.Values.updater.enabled) .Values.rbac.create -}}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-in-place-binding
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-in-place
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-actor-binding
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-actor
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-target-reader-binding
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-target-reader
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-evictioner-binding
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-evictioner
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-status-reader-binding
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-status-reader
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/updater-deployment.yaml

@@ -27,6 +27,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
       securityContext:
         runAsNonRoot: true
         runAsUser: 65534

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/updater-role.yaml

@@ -0,0 +1,33 @@
+{{- if and (.Values.updater.enabled) .Values.updater.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-leader-locking
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+  {{- with .Values.updater.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.updater.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - "coordination.k8s.io"
+    resources:
+      - leases
+    verbs:
+      - create
+  - apiGroups:
+      - "coordination.k8s.io"
+    resourceNames:
+      - vpa-updater
+    resources:
+      - leases
+    verbs:
+      - get
+      - watch
+      - update
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/updater-rolebinding.yaml

@@ -0,0 +1,15 @@
+{{- if and (.Values.updater.enabled) .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-leader-locking-binding
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}-leader-locking
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/templates/updater-serviceaccount.yaml

@@ -0,0 +1,16 @@
+{{- if and (.Values.updater.enabled) .Values.updater.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "vertical-pod-autoscaler.updater.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "vertical-pod-autoscaler.updater.labels" . | nindent 4 }}
+  {{- with .Values.updater.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.updater.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}

vertical-pod-autoscaler/charts/vertical-pod-autoscaler/values.yaml

@@ -189,7 +189,7 @@ updater:
     tag:
     # Image pull policy for the Updater default container.
     pullPolicy: IfNotPresent
-  
+
   # Number of Updater replicas to create.
   replicas: 1
 
@@ -198,3 +198,10 @@ updater:
 
   # Annotations to add to the Updater pod.
   podAnnotations: {}
+  serviceAccount:
+    # If `true`, create a new `ServiceAccount` for the Updater.
+    create: true
+    # Labels to add to the Updater service account.
+    labels: {}
+    # Annotations to add to the Updater service account.
+    annotations: {}