To address the function role vs clusterrole issue (#236)

* To address the function role vs clusterrole issue * making backwards compatable * updated value.yaml to include limit functions to namespace * Added documentation to clarify the new attribute * moved limit_to_namespace under functions.rbac
2023-07-12 10:11:36 -05:00 · 2023-07-12 10:11:36 -05:00 · f8ad65066e
commit f8ad65066e
parent 49f4acdf5a
2 changed files with 23 additions and 0 deletions
--- a/charts/pulsar/templates/broker-rbac.yaml
+++ b/charts/pulsar/templates/broker-rbac.yaml
@ -19,9 +19,15 @@

 {{- if or .Values.components.functions .Values.extra.functionsAsPods }}
 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.functions.rbac.limit_to_namespace }}
+kind: Role
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-role"
+{{- else}}
 kind: ClusterRole
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 rules:
 - apiGroups: [""]
  resources:
@ -46,13 +52,24 @@ metadata:
 ---

 apiVersion: rbac.authorization.k8s.io/v1
+{{- if .Values.functions.rbac.limit_to_namespace }}
+kind: RoleBinding
+metadata:
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-rolebinding"
+{{- else}}
 kind: ClusterRoleBinding
 metadata:
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
+{{- if .Values.functions.rbac.limit_to_namespace }}
+  kind: Role
+  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}-role"
+{{- else}}
  kind: ClusterRole
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
+{{- end}}
 subjects:
 - kind: ServiceAccount
  name: "{{ template "pulsar.fullname" . }}-{{ .Values.functions.component }}"
--- a/charts/pulsar/values.yaml
+++ b/charts/pulsar/values.yaml
@ -792,6 +792,12 @@ broker:
 ##
 functions:
  component: functions-worker
+  ## Pulsar: Functions Worker ClusterRole or Role
+  ## templates/broker-rbac.yaml
+  # Default is false which deploys functions with ClusterRole and ClusterRoleBinding at the cluster level
+  # Set to true to deploy functions with Role and RoleBinding inside the specified namespace
+  rbac:
+    limit_to_namespace: false

 ## Pulsar: Proxy Cluster
 ## templates/proxy-statefulset.yaml