mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-14 18:53:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

helm: add least privileges logic for secrets on ceph-csi-cephfs chart

Browse Source 
this allows the encryption KMS config to be granted secret access with
a least privilges policy.

Signed-off-by: Antoine C <hi@acolombier.dev>
This commit is contained in:
Antoine C
2024-05-15 12:24:44 +01:00
committed by mergify[bot]
parent cc407d157e
commit 3e9b438e7c
5 changed files with 21 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
charts/ceph-csi-cephfs/templates/nodeplugin-clusterrole.yaml
View File

@ -3,7 +3,6 @@ kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "ceph-csi-cephfs.nodeplugin.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
app: {{ include "ceph-csi-cephfs.name" . }}
chart: {{ include "ceph-csi-cephfs.chart" . }}
@ -19,7 +18,7 @@ rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get"]
{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not (eq .Values.encryptionKMSConfig.secretNamespace .Release.Namespace)) }}
{{- if and .Values.encryptionKMSConfig .Values.encryptionKMSConfig.secretNamespace (not .Values.rbac.leastPrivileges) }}
# allow to read the encryption key used with the metadata KMS
- apiGroups: [""]
resources: ["secrets"]