helm: add least privileges logic for secrets on ceph-csi-cephfs chart

this allows the encryption KMS config to be granted secret access with a least privilges policy. Signed-off-by: Antoine C <hi@acolombier.dev>
2025-06-14 02:43:36 +00:00 · 2024-05-15 12:24:44 +01:00
parent cc407d157e
commit 3e9b438e7c
5 changed files with 21 additions and 7 deletions
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
@ -3,7 +3,6 @@ kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
-  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ include "ceph-csi-cephfs.name" . }}
    chart: {{ include "ceph-csi-cephfs.chart" . }}
@ -19,7 +18,7 @@ rules:
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get"]
-{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace)) }}
+{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not .Values.rbac.leastPrivileges) }}
  # allow to read the encryption key used with the metadata KMS
  - apiGroups: [""]
    resources: ["secrets"]
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-role.yaml
@ -1,9 +1,10 @@
-{{- if .Values.rbac.create -}}
-{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace  .Values.encryptionKMSConfig.secretName (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}}
+{{- if and .Values.rbac.create .Values.rbac.leastPrivileges -}}
+{{- if and .Values.encryptionKMSConfig (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") .Values.encryptionKMSConfig.secretNamespace .Values.encryptionKMSConfig.secretName -}}
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
+  namespace: {{ .Values.encryptionKMSConfig.secretNamespace }}
  labels:
    app: {{ include "ceph-csi-cephfs.name" . }}
    chart: {{ include "ceph-csi-cephfs.chart" . }}
--- a/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
+++ b/charts/ceph-csi-cephfs/templates/nodeplugin-rolebinding.yaml
@ -1,10 +1,10 @@
-{{- if .Values.rbac.create -}}
-{{- if and (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace) -}}
+{{- if and .Values.rbac.create .Values.rbac.leastPrivileges -}}
+{{- if and .Values.encryptionKMSConfig (eq .Values.encryptionKMSConfig.encryptionKMSType "metadata") .Values.encryptionKMSConfig.secretNamespace -}}
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
-  namespace: {{ .Release.Namespace }}
+  namespace: {{ .Values.encryptionKMSConfig.secretNamespace }}
  labels:
    app: {{ include "ceph-csi-cephfs.name" . }}
    chart: {{ include "ceph-csi-cephfs.chart" . }}