Accept PodSecurityPolicy name, bind to managed ServiceAccount if provided#433
Accept PodSecurityPolicy name, bind to managed ServiceAccount if provided#433nathancoleman merged 11 commits intomainfrom
Conversation
nathancoleman
added
the
pr/no-changelog
nathancoleman
changed the title
nathancoleman
removed
the
pr/no-changelog
nathancoleman
requested review from
andrewstucki,
mikemorris and
sarahalsmiller
| namespace: | ||
| description: The Consul namespace to use for authentication. | ||
| type: string | ||
| podSecurityPolicy: |
There was a problem hiding this comment.
I'm not a huge fan of having this named explicitly after podSecurityPolicy since it's already going away w/ K8s 1.25; however, the replacement for it is different enough that I don't think it makes sense to try and munge the concepts together into one field. Thoughts?
There was a problem hiding this comment.
I actually like that it's so explicit. That will make it easier when we remove PSPs in a few years. What is our support policy for K8s versions?
| //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=list;get;create;watch | ||
| //+kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=use |
There was a problem hiding this comment.
The RBAC generated from these annotations is only used for our own testing inside this repo. These changes reflect the changes that have already been made to the Consul Helm chart in hashicorp/consul-k8s#1672
| role := config.RoleFor(gateway) | ||
| if role == nil { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
Following the pattern already established by the ServiceAccount code immediately above: return nil if we shouldn't be creating a Role and move along.
| APIGroup: "rbac.authorization.k8s.io", | ||
| Kind: "Role", |
There was a problem hiding this comment.
Looked for some constants for these but had no luck finding any in the K8s SDK
t-eckert
left a comment
t-eckert
left a comment
There was a problem hiding this comment.
Nice! I like that you included some refactoring work as well to keep things tidy
| namespace: | ||
| description: The Consul namespace to use for authentication. | ||
| type: string | ||
| podSecurityPolicy: |
There was a problem hiding this comment.
I actually like that it's so explicit. That will make it easier when we remove PSPs in a few years. What is our support policy for K8s versions?
| return nil | ||
| } | ||
|
|
||
| func (g *gatewayClient) EnsureExists(ctx context.Context, obj client.Object, mutators ...func() error) (bool, error) { |
There was a problem hiding this comment.
This is a really clean implementation!
config/crd/bases/api-gateway.consul.hashicorp.com_gatewayclassconfigs.yaml
Outdated
Show resolved
Hide resolved
2 participants
Changes proposed in this PR:
When creating a
Deploymentfor a givenGateway, we create a "managed"ServiceAccountif theGatewayClassConfigindicates that we should.With the changes in this PR, we will also create a
RoleandRoleBindingattaching the namedpodSecurityPolicyfrom theGatewayClassConfigif one has been provided.How I've tested this PR:
Create a K8s cluster that requires
PodSecurityPolicies. In GKE, this is:Install the Consul Helm chart from hashicorp/consul-k8s#1672 and exercise Consul API Gateway functionality.
How I expect reviewers to test this PR:
See above
Checklist: