From 9613ee029290a23e512d5f247bef69faa6bf796a Mon Sep 17 00:00:00 2001 From: Frank Kelly <62910985+frankjkelly@users.noreply.github.com> Date: Fri, 4 Feb 2022 03:41:10 -0500 Subject: [PATCH] Make PodSecurityPolicy name unique in k8s cluster when rbac.limit_to_namespace is true (#224) - allows having multiple Pulsar clusters in different K8S namespaces but having the same helm release name - PodSecurityPolicy is a cluster-level-resource and name would collide without this change --- charts/pulsar/Chart.yaml | 2 +- charts/pulsar/templates/autorecovery-rbac.yaml | 5 ++++- charts/pulsar/templates/bookkeeper-rbac.yaml | 5 ++++- charts/pulsar/templates/broker-rbac.yaml | 5 ++++- charts/pulsar/templates/proxy-rbac.yaml | 5 ++++- charts/pulsar/templates/toolset-rbac.yaml | 5 ++++- charts/pulsar/templates/zookeeper-rbac.yaml | 7 +++++-- 7 files changed, 26 insertions(+), 8 deletions(-) diff --git a/charts/pulsar/Chart.yaml b/charts/pulsar/Chart.yaml index 3813fc3..6fdd15f 100644 --- a/charts/pulsar/Chart.yaml +++ b/charts/pulsar/Chart.yaml @@ -21,7 +21,7 @@ apiVersion: v2 appVersion: "2.7.4" description: Apache Pulsar Helm chart for Kubernetes name: pulsar -version: 2.7.10 +version: 2.7.11 home: https://pulsar.apache.org sources: - https://github.com/apache/pulsar diff --git a/charts/pulsar/templates/autorecovery-rbac.yaml b/charts/pulsar/templates/autorecovery-rbac.yaml index 78c0447..6885497 100644 --- a/charts/pulsar/templates/autorecovery-rbac.yaml +++ b/charts/pulsar/templates/autorecovery-rbac.yaml @@ -59,8 +59,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: +{{- if .Values.rbac.limit_to_namespace }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}-{{ template "pulsar.namespace" . }}" +{{- else}} name: "{{ template "pulsar.fullname" . }}-{{ .Values.autorecovery.component }}" - namespace: {{ template "pulsar.namespace" . }} +{{- end}} spec: readOnlyRootFilesystem: false privileged: false diff --git a/charts/pulsar/templates/bookkeeper-rbac.yaml b/charts/pulsar/templates/bookkeeper-rbac.yaml index 0b7213d..0eaf2f2 100644 --- a/charts/pulsar/templates/bookkeeper-rbac.yaml +++ b/charts/pulsar/templates/bookkeeper-rbac.yaml @@ -59,8 +59,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: +{{- if .Values.rbac.limit_to_namespace }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}-{{ template "pulsar.namespace" . }}" +{{- else}} name: "{{ template "pulsar.fullname" . }}-{{ .Values.bookkeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} +{{- end}} spec: readOnlyRootFilesystem: false privileged: false diff --git a/charts/pulsar/templates/broker-rbac.yaml b/charts/pulsar/templates/broker-rbac.yaml index f3f3c00..6654435 100644 --- a/charts/pulsar/templates/broker-rbac.yaml +++ b/charts/pulsar/templates/broker-rbac.yaml @@ -97,8 +97,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: +{{- if .Values.rbac.limit_to_namespace }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}-{{ template "pulsar.namespace" . }}" +{{- else}} name: "{{ template "pulsar.fullname" . }}-{{ .Values.broker.component }}" - namespace: {{ template "pulsar.namespace" . }} +{{- end}} spec: readOnlyRootFilesystem: false privileged: false diff --git a/charts/pulsar/templates/proxy-rbac.yaml b/charts/pulsar/templates/proxy-rbac.yaml index 4b379db..72298ee 100644 --- a/charts/pulsar/templates/proxy-rbac.yaml +++ b/charts/pulsar/templates/proxy-rbac.yaml @@ -59,8 +59,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: +{{- if .Values.rbac.limit_to_namespace }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}-{{ template "pulsar.namespace" . }}" +{{- else}} name: "{{ template "pulsar.fullname" . }}-{{ .Values.proxy.component }}" - namespace: {{ template "pulsar.namespace" . }} +{{- end}} spec: readOnlyRootFilesystem: false privileged: false diff --git a/charts/pulsar/templates/toolset-rbac.yaml b/charts/pulsar/templates/toolset-rbac.yaml index ab0f931..c08c6f5 100644 --- a/charts/pulsar/templates/toolset-rbac.yaml +++ b/charts/pulsar/templates/toolset-rbac.yaml @@ -59,8 +59,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: +{{- if .Values.rbac.limit_to_namespace }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}-{{ template "pulsar.namespace" . }}" +{{- else}} name: "{{ template "pulsar.fullname" . }}-{{ .Values.toolset.component }}" - namespace: {{ template "pulsar.namespace" . }} +{{- end}} spec: readOnlyRootFilesystem: false privileged: false diff --git a/charts/pulsar/templates/zookeeper-rbac.yaml b/charts/pulsar/templates/zookeeper-rbac.yaml index 4b541a4..23f80f5 100644 --- a/charts/pulsar/templates/zookeeper-rbac.yaml +++ b/charts/pulsar/templates/zookeeper-rbac.yaml @@ -59,8 +59,11 @@ subjects: apiVersion: policy/v1beta1 kind: PodSecurityPolicy metadata: - name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" - namespace: {{ template "pulsar.namespace" . }} +{{- if .Values.rbac.limit_to_namespace }} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}-{{ template "pulsar.namespace" . }}" +{{- else}} + name: "{{ template "pulsar.fullname" . }}-{{ .Values.zookeeper.component }}" +{{- end}} spec: readOnlyRootFilesystem: false privileged: false