Update nirmata-kube-controller.yaml with aggregated cluster role (#486)

* Update nirmata-kube-controller.yaml with aggregated cluster role

* add kube controller flags to have write clusterroles

* chart version bump

charts/nirmata-kube-controller/Chart.yaml

@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.5
+version: 0.1.6
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/nirmata-kube-controller/templates/nirmata-kube-controller.yaml

@@ -19,11 +19,11 @@ type: kubernetes.io/service-account-token
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: nirmata:readonly
+  name: nirmata:readonly-binding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: nirmata:readonly
+  name: view
 subjects:
 - kind: ServiceAccount
   name: nirmata
@@ -39,32 +39,18 @@ roleRef:
   kind: ClusterRole
   name: admin
 subjects:
-- kind: ServiceAccount
-  name: nirmata
-  namespace: {{ .Values.namespace }}
----   
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: nirmata:view
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: view
-subjects:
 - kind: ServiceAccount
   name: nirmata
   namespace: {{ .Values.namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  annotations: {}
   name: nirmata:readonly
+  labels:
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
 rules:
-- apiGroups:
-  - kyverno.io
-  - operator.kyverno.io
+- apiGroups: ["kyverno.io", "operator.kyverno.io"]
   resources:
   - policies
   - policies/status
@@ -77,36 +63,38 @@ rules:
   - generaterequests/status
   verbs:
   - get
-  - watch
   - list
-- apiGroups:
-  - wgpolicyk8s.io
+  - watch
+  {{ if .Values.enablePolicyExceptions }}
+  - create
+  - update
+  - patch
+  - delete
+  {{ end }}
+- apiGroups: ["wgpolicyk8s.io"]
   resources:
   - policyreports
   - policyreports/status
   - clusterpolicyreports
   - clusterpolicyreports/status
   verbs:
   - get
-  - watch
   - list
-- apiGroups:
-  - policy.kubernetes.io
+  - watch
+- apiGroups: ["policy.kubernetes.io"]
   resources:
   - reportchangerequests
   - reportchangerequests/status
   - clusterreportchangerequests
   - clusterreportchangerequests/status
   verbs:
   - get
-  - watch
   - list
-- apiGroups:
-  - security.nirmata.io
+  - watch
+- apiGroups: ["security.nirmata.io"]
   resources:
   - imagekeys
   - imagekeys/status
-  - imagekeys/finalizers
   - kyvernoes
   - kyvernoes/status
   - policysets
@@ -117,17 +105,22 @@ rules:
   - kyvernoconfigs/status
   verbs:
   - get
-  - watch
   - list
-- apiGroups:
-  - ''
+  - watch
+  {{ if .Values.enablePolicySets }}
+  - create
+  - update
+  - patch
+  - delete
+  {{ end }}
+- apiGroups: [""]
   resources:
   - nodes
   - componentstatuses
   verbs:
   - get
-  - watch
   - list
+  - watch
 ---
 apiVersion: v1
 kind: ConfigMap

charts/nirmata-kube-controller/values.yaml

@@ -26,6 +26,10 @@ cluster:
 # to use apiToken, please specify the token directly, no base64 encode needed
 # apiToken: ""
 
+enablePolicyExceptions: false
+enablePolicySets: false
+
+
 proxy:
   httpProxy: ""
   httpsProxy: ""