Merge commit '90f056028f9e602a83c2d4b092eec665730dfbd2'

jouve · Oct 20, 2023 · 40c8108 · 40c8108
2 parents 8510ad6 + 90f0560
commit 40c8108
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 69 deletions.
diff --git a/charts/cloudnative-pg/README.md b/charts/cloudnative-pg/README.md
diff --git a/charts/cloudnative-pg/templates/mutatingwebhookconfiguration.yaml b/charts/cloudnative-pg/templates/mutatingwebhookconfiguration.yaml
@@ -35,7 +35,7 @@ webhooks:
       path: /mutate-postgresql-cnpg-io-v1-backup
       port: {{ .Values.service.port }}
   failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
-  name: mbackup.kb.io
+  name: mbackup.cnpg.io
   rules:
   - apiGroups:
     - postgresql.cnpg.io
@@ -56,7 +56,7 @@ webhooks:
       path: /mutate-postgresql-cnpg-io-v1-cluster
       port: {{ .Values.service.port }}
   failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
-  name: mcluster.kb.io
+  name: mcluster.cnpg.io
   rules:
   - apiGroups:
     - postgresql.cnpg.io
@@ -77,7 +77,7 @@ webhooks:
       path: /mutate-postgresql-cnpg-io-v1-scheduledbackup
       port: {{ .Values.service.port }}
   failurePolicy: {{ .Values.webhook.mutating.failurePolicy }}
-  name: mscheduledbackup.kb.io
+  name: mscheduledbackup.cnpg.io
   rules:
   - apiGroups:
     - postgresql.cnpg.io

diff --git a/charts/cloudnative-pg/templates/rbac.yaml b/charts/cloudnative-pg/templates/rbac.yaml
@@ -135,13 +135,13 @@ rules:
   - update
   - watch
 - apiGroups:
-    - ""
+  - ""
   resources:
-    - secrets/status
+  - secrets/status
   verbs:
-    - get
-    - patch
-    - update
+  - get
+  - patch
+  - update
 - apiGroups:
   - ""
   resources:
@@ -192,17 +192,17 @@ rules:
   - list
   - update
 - apiGroups:
-    - apps
+  - apps
   resources:
-    - deployments
+  - deployments
   verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - batch
   resources:
@@ -288,32 +288,32 @@ rules:
   resources:
   - clusters/status
   verbs:
-    - get
-    - patch
-    - update
-    - watch
+  - get
+  - patch
+  - update
+  - watch
 - apiGroups:
-    - postgresql.cnpg.io
+  - postgresql.cnpg.io
   resources:
-    - poolers
+  - poolers
   verbs:
-    - create
-    - delete
-    - get
-    - list
-    - patch
-    - update
-    - watch
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
-    - postgresql.cnpg.io
+  - postgresql.cnpg.io
   resources:
-    - poolers/finalizers
+  - poolers/finalizers
   verbs:
-    - update
+  - update
 - apiGroups:
-    - postgresql.cnpg.io
+  - postgresql.cnpg.io
   resources:
-    - poolers/status
+  - poolers/status
   verbs:
   - get
   - patch
@@ -390,20 +390,16 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "cloudnative-pg.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{- if .Values.rbac.aggregate }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "cloudnative-pg.fullname" . }}-edit
+  name: {{ include "cloudnative-pg.fullname" . }}-view
   labels:
     {{- include "cloudnative-pg.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-  {{- with .Values.commonAnnotations.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- if .Values.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    {{- end }}
 rules:
 - apiGroups:
   - postgresql.cnpg.io
@@ -413,25 +409,19 @@ rules:
   - poolers
   - scheduledbackups
   verbs:
-  - create
-  - delete
-  - deletecollection
-  - patch
-  - update
+  - get
+  - list
+  - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "cloudnative-pg.fullname" . }}-view
+  name: {{ include "cloudnative-pg.fullname" . }}-edit
   labels:
     {{- include "cloudnative-pg.labels" . | nindent 4 }}
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- if .Values.rbac.aggregateClusterRoles }}
     rbac.authorization.k8s.io/aggregate-to-edit: "true"
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-  {{- with .Values.commonAnnotations.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
+    {{- end }}
 rules:
 - apiGroups:
   - postgresql.cnpg.io
@@ -441,8 +431,10 @@ rules:
   - poolers
   - scheduledbackups
   verbs:
-  - get
-  - list
-  - watch
-{{- end }}
+  - create
+  - delete
+  - deletecollection
+  - patch
+  - update
+---
 {{- end }}
diff --git a/charts/cloudnative-pg/templates/validatingwebhookconfiguration.yaml b/charts/cloudnative-pg/templates/validatingwebhookconfiguration.yaml
@@ -35,7 +35,7 @@ webhooks:
       path: /validate-postgresql-cnpg-io-v1-backup
       port: {{ .Values.service.port }}
   failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
-  name: vbackup.kb.io
+  name: vbackup.cnpg.io
   rules:
   - apiGroups:
     - postgresql.cnpg.io
@@ -56,7 +56,7 @@ webhooks:
       path: /validate-postgresql-cnpg-io-v1-cluster
       port: {{ .Values.service.port }}
   failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
-  name: vcluster.kb.io
+  name: vcluster.cnpg.io
   rules:
   - apiGroups:
     - postgresql.cnpg.io
@@ -77,7 +77,7 @@ webhooks:
       path: /validate-postgresql-cnpg-io-v1-scheduledbackup
       port: {{ .Values.service.port }}
   failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
-  name: vscheduledbackup.kb.io
+  name: vscheduledbackup.cnpg.io
   rules:
   - apiGroups:
     - postgresql.cnpg.io
@@ -98,7 +98,7 @@ webhooks:
       path: /validate-postgresql-cnpg-io-v1-pooler
       port: {{ .Values.service.port }}
   failurePolicy: {{ .Values.webhook.validating.failurePolicy }}
-  name: vpooler.kb.io
+  name: vpooler.cnpg.io
   rules:
     - apiGroups:
         - postgresql.cnpg.io

diff --git a/charts/cloudnative-pg/values.schema.json b/charts/cloudnative-pg/values.schema.json
@@ -53,6 +53,14 @@
                 },
                 "runAsUser": {
                     "type": "integer"
+                },
+                "seccompProfile": {
+                    "type": "object",
+                    "properties": {
+                        "type": {
+                            "type": "string"
+                        }
+                    }
                 }
             }
         },
@@ -137,6 +145,9 @@
         "rbac": {
             "type": "object",
             "properties": {
+                "aggregateClusterRoles": {
+                    "type": "boolean"
+                },
                 "create": {
                     "type": "boolean"
                 }

diff --git a/charts/cloudnative-pg/values.yaml b/charts/cloudnative-pg/values.yaml
@@ -76,8 +76,9 @@ serviceAccount:
 rbac:
   # -- Specifies whether ClusterRole and ClusterRoleBinding should be created.
   create: true
-  # -- Create a ClusterRole and aggregate it to [user facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
-  aggregate: false
+  # -- Aggregate ClusterRoles to Kubernetes default user-facing roles.
+  # Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+  aggregateClusterRoles: false
 
 # -- Annotations to be added to all other resources.
 commonAnnotations: {}
@@ -92,6 +93,8 @@ containerSecurityContext:
   readOnlyRootFilesystem: true
   runAsUser: 10001
   runAsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
   capabilities:
     drop:
       - "ALL"