fix: implement more review comments

neuvector · Jul 10, 2024 · ad1b3b4 · ad1b3b4
1 parent c00a681
commit ad1b3b4
Show file tree

Hide file tree

Showing 7 changed files with 155 additions and 121 deletions.
diff --git a/charts/core/templates/role-least.yaml b/charts/core/templates/role-least.yaml
@@ -26,75 +26,4 @@ rules:
   - watch
   - patch
   - update
----
-{{- if .Values.internal.autoGenerateCert }}
-{{- if $oc3 }}
-apiVersion: authorization.openshift.io/v1
-{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
-apiVersion: rbac.authorization.k8s.io/v1
-{{- else }}
-apiVersion: v1
-{{- end }}
-kind: Role
-metadata:
-  name: neuvector-role-job-creation
-  namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ template "neuvector.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: Helm
-rules:
-- apiGroups:
-  - batch
-  resources:
-  - jobs
-  verbs:
-  - create
-  - get
-  - delete
-{{- end }}
----
-{{- if .Values.internal.autoGenerateCert }}
-{{- if $oc3 }}
-apiVersion: authorization.openshift.io/v1
-{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
-apiVersion: rbac.authorization.k8s.io/v1
-{{- else }}
-apiVersion: v1
-{{- end }}
-kind: Role
-metadata:
-  name: neuvector-role-cert-upgrader
-  namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ template "neuvector.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: Helm
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - update
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - "apps"
-  resources:
-  - deployments
-  - daemonsets
-  verbs:
-  - get
-  - list
-  - watch
-{{- end }}
 {{- end }}
diff --git a/charts/core/templates/role.yaml b/charts/core/templates/role.yaml
@@ -22,10 +22,8 @@ rules:
   - secrets
   verbs:
   - get
-{{- if .Values.internal.autoGenerateCert }}
   - list
   - watch
-{{- end }}
 
 ---
 
@@ -39,7 +37,7 @@ apiVersion: v1
 {{- end }}
 kind: Role
 metadata:
-  name: neuvector-role-lease
+  name: neuvector-binding-lease
   namespace: {{ .Release.Namespace }}
   labels:
     chart: {{ template "neuvector.chart" . }}
@@ -53,4 +51,85 @@ rules:
   verbs:
   - get
   - update
+---
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: Role
+metadata:
+  name: neuvector-role-job-creation
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - create
+  - get
+  - delete
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - cronjobs/finalizers
+  verbs:
+  - update
+  - patch
+---
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: Role
+metadata:
+  name: neuvector-role-cert-upgrader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - update
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - "apps"
+  resources:
+  - deployments
+  - daemonsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  verbs:
+  - update
 {{- end }}
diff --git a/charts/core/templates/rolebinding-least.yaml b/charts/core/templates/rolebinding-least.yaml
@@ -57,7 +57,7 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
 {{- end }}
-  name: neuvector-role-lease
+  name: neuvector-binding-lease
 subjects:
 - kind: ServiceAccount
   name: controller
@@ -67,12 +67,10 @@ subjects:
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 - system:serviceaccount:{{ .Release.Namespace }}:controller
 - system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader
 {{- end }}
-{{- end }}
-
-{{- if .Values.internal.autoGenerateCert }}
 ---
 {{- if $oc3 }}
 apiVersion: authorization.openshift.io/v1
@@ -104,40 +102,6 @@ userNames:
 - system:serviceaccount:{{ .Release.Namespace }}:controller
 {{- end }}
 {{- end }}
-
-{{- if .Values.internal.autoGenerateCert }}
----
-{{- if $oc3 }}
-apiVersion: authorization.openshift.io/v1
-{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
-apiVersion: rbac.authorization.k8s.io/v1
-{{- else }}
-apiVersion: v1
-{{- end }}
-kind: RoleBinding
-metadata:
-  name: neuvector-binding-cert-upgrader
-  namespace: {{ .Release.Namespace }}
-  labels:
-    chart: {{ template "neuvector.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: Helm
-roleRef:
-{{- if not $oc3 }}
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-{{- end }}
-  name: neuvector-role-cert-upgrader
-subjects:
-- kind: ServiceAccount
-  name: cert-upgrader
-  namespace: {{ .Release.Namespace }}
-{{- if $oc3 }}
-userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader
-{{- end }}
-{{- end }}
-
 ---
 {{- if $oc3 }}
 apiVersion: authorization.openshift.io/v1
@@ -164,7 +128,6 @@ subjects:
 - kind: ServiceAccount
   name: controller
   namespace: {{ .Release.Namespace }}
-{{- if .Values.internal.autoGenerateCert }}
 - kind: ServiceAccount
   name: enforcer
   namespace: {{ .Release.Namespace }}
@@ -174,16 +137,13 @@ subjects:
 - kind: ServiceAccount
   name: registry-adapter
   namespace: {{ .Release.Namespace }}
-{{- end }}
 {{- if $oc3 }}
 userNames:
 - system:serviceaccount:{{ .Release.Namespace }}:controller
-{{- if .Values.internal.autoGenerateCert }}
 - system:serviceaccount:{{ .Release.Namespace }}:enforcer
 - system:serviceaccount:{{ .Release.Namespace }}:scanner
 - system:serviceaccount:{{ .Release.Namespace }}:registry-adapter
 {{- end }}
-{{- end }}
 
 ---
 

diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml
@@ -109,10 +109,71 @@ roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
 {{- end }}
-  name: neuvector-role-lease
+  name: neuvector-binding-lease
 subjects:
 - kind: ServiceAccount
   name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- end }}
+---
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: RoleBinding
+metadata:
+  name: neuvector-binding-job-creation
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+{{- end }}
+  name: neuvector-role-job-creation
+subjects:
+- kind: ServiceAccount
+  name: controller
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:controller
+{{- end }}
+---
+{{- if $oc3 }}
+apiVersion: authorization.openshift.io/v1
+{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
+apiVersion: rbac.authorization.k8s.io/v1
+{{- else }}
+apiVersion: v1
+{{- end }}
+kind: RoleBinding
+metadata:
+  name: neuvector-binding-cert-upgrader
+  namespace: {{ .Release.Namespace }}
+  labels:
+    chart: {{ template "neuvector.chart" . }}
+    release: {{ .Release.Name }}
+    heritage: Helm
+roleRef:
+{{- if not $oc3 }}
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+{{- end }}
+  name: neuvector-role-cert-upgrader
+subjects:
+- kind: ServiceAccount
+  name: cert-upgrader
+  namespace: {{ .Release.Namespace }}
+{{- if $oc3 }}
+userNames:
+- system:serviceaccount:{{ .Release.Namespace }}:cert-upgrader
+{{- end }}
 {{- end }}
+
diff --git a/charts/core/templates/serviceaccount-least.yaml b/charts/core/templates/serviceaccount-least.yaml
@@ -71,7 +71,6 @@ metadata:
 
 ---
 
-{{- if .Values.internal.autoGenerateCert }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -82,5 +81,3 @@ metadata:
     release: {{ .Release.Name }}
     heritage: Helm
 {{- end }}
-
-{{- end }}
diff --git a/charts/core/templates/upgrader-cronjob.yaml b/charts/core/templates/upgrader-cronjob.yaml
@@ -69,7 +69,7 @@ spec:
           containers:
             - name: neuvector-cert-upgrader-pod
               image: {{ include "neuvector.controller.image" . | quote }}
-              imagePullPolicy: Always
+              imagePullPolicy: {{ .Values.controller.certupgrader.imagePullPolicy }}
               command: 
                 - /usr/local/bin/upgrader
                 - upgrader-job

diff --git a/charts/core/values.yaml b/charts/core/values.yaml
@@ -290,6 +290,14 @@ controller:
     schedule: ""
     imagePullPolicy: IfNotPresent
     timeout: 3600 
+    priorityClassName:
+    podLabels: {}
+    podAnnotations: {}
+    nodeSelector:
+      {}
+      # key1: value1
+      # key2: value2
+    runAsUser: # MUST be set for Rancher hardened cluster
 
 enforcer:
   # If false, enforcer will not be installed