Remove custom Security Context Constraints (#1838)

Dynatrace · Jun 6, 2023 · c294951 · c294951
1 parent f620141
commit c294951
Show file tree

Hide file tree

Showing 43 changed files with 538 additions and 986 deletions.
diff --git a/config/helm/chart/default/templates/Common/activegate/clusterrole-activegate.yaml b/config/helm/chart/default/templates/Common/activegate/clusterrole-activegate.yaml
@@ -1,6 +1,5 @@
 {{- include "dynatrace-operator.platformRequired" . }}
-{{- if eq (default false .Values.olm) true}}
-{{ if eq (include "dynatrace-operator.partial" .) "false" }}
+{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
 
 # Copyright 2021 Dynatrace LLC
 
@@ -25,11 +24,25 @@ rules:
   - apiGroups:
       - security.openshift.io
     resourceNames:
-      - host
       - privileged
+      - nonroot-v2
     resources:
       - securitycontextconstraints
     verbs:
       - use
-{{- end -}}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-activegate
+  labels:
+    {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-activegate
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: dynatrace-activegate
+  apiGroup: rbac.authorization.k8s.io
 {{- end -}}
diff --git a/config/helm/chart/default/templates/Common/activegate/clusterrolebinding-activegate.yaml b/config/helm/chart/default/templates/Common/activegate/clusterrolebinding-activegate.yaml
diff --git a/config/helm/chart/default/templates/Common/csi/clusterrole-csi.yaml b/config/helm/chart/default/templates/Common/csi/clusterrole-csi.yaml
@@ -62,4 +62,29 @@ rules:
       - get
       - list
       - watch
+  {{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
+  - apiGroups:
+      - security.openshift.io
+    resourceNames:
+      - privileged
+    resources:
+      - securitycontextconstraints
+    verbs:
+      - use
+  {{ end }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-oneagent-csi-driver
+  labels:
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-oneagent-csi-driver
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: dynatrace-oneagent-csi-driver
+  apiGroup: rbac.authorization.k8s.io
 {{- end -}}
diff --git a/config/helm/chart/default/templates/Common/csi/clusterrolebinding-csi.yaml b/config/helm/chart/default/templates/Common/csi/clusterrolebinding-csi.yaml
diff --git a/config/helm/chart/default/templates/Common/csi/role-csi.yaml b/config/helm/chart/default/templates/Common/csi/role-csi.yaml
@@ -67,4 +67,20 @@ rules:
       - get
       - list
       - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: dynatrace-oneagent-csi-driver
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-oneagent-csi-driver
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: dynatrace-oneagent-csi-driver
+  apiGroup: rbac.authorization.k8s.io
 {{- end -}}
diff --git a/config/helm/chart/default/templates/Common/csi/rolebinding-csi.yaml b/config/helm/chart/default/templates/Common/csi/rolebinding-csi.yaml
diff --git a/...art/default/templates/Common/kubernetes-monitoring/clusterrole-kubernetes-monitoring.yaml b/...art/default/templates/Common/kubernetes-monitoring/clusterrole-kubernetes-monitoring.yaml
@@ -80,15 +80,30 @@ rules:
       - /livez
     verbs:
       - get
-  {{- if eq (default false .Values.olm) true}}
+  {{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
   - apiGroups:
       - security.openshift.io
     resourceNames:
-      - host
       - privileged
+      - nonroot-v2
     resources:
       - securitycontextconstraints
     verbs:
       - use
   {{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynatrace-kubernetes-monitoring
+  labels:
+    {{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynatrace-kubernetes-monitoring
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-kubernetes-monitoring
+    namespace: {{ .Release.Namespace }}
 {{ end }}
diff --git a/...ault/templates/Common/kubernetes-monitoring/clusterrolebinding-kubernetes-monitoring.yaml b/...ault/templates/Common/kubernetes-monitoring/clusterrolebinding-kubernetes-monitoring.yaml
diff --git a/config/helm/chart/default/templates/Common/oneagent/clusterrole-oneagent-privileged.yaml b/config/helm/chart/default/templates/Common/oneagent/clusterrole-oneagent-privileged.yaml
@@ -23,10 +23,24 @@ rules:
   - apiGroups:
       - security.openshift.io
     resourceNames:
-      - host
       - privileged
     resources:
       - securitycontextconstraints
     verbs:
       - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynatrace-dynakube-oneagent-privileged
+  labels:
+    {{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: "dynatrace-dynakube-oneagent-privileged"
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: "dynatrace-dynakube-oneagent-privileged"
 {{ end }}
diff --git a/config/helm/chart/default/templates/Common/oneagent/clusterrole-oneagent-unprivileged.yaml b/config/helm/chart/default/templates/Common/oneagent/clusterrole-oneagent-unprivileged.yaml
@@ -23,10 +23,24 @@ rules:
   - apiGroups:
       - security.openshift.io
     resourceNames:
-      - host
       - privileged
     resources:
       - securitycontextconstraints
     verbs:
       - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: dynatrace-dynakube-oneagent-unprivileged
+  labels:
+    {{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: dynatrace-dynakube-oneagent-unprivileged
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: dynatrace-dynakube-oneagent-unprivileged
 {{ end }}
diff --git a/.../helm/chart/default/templates/Common/oneagent/clusterrolebinding-oneagent-privileged.yaml b/.../helm/chart/default/templates/Common/oneagent/clusterrolebinding-oneagent-privileged.yaml
diff --git a/...elm/chart/default/templates/Common/oneagent/clusterrolebinding-oneagent-unprivileged.yaml b/...elm/chart/default/templates/Common/oneagent/clusterrolebinding-oneagent-unprivileged.yaml
diff --git a/config/helm/chart/default/templates/Common/operator/clusterrole-operator.yaml b/config/helm/chart/default/templates/Common/operator/clusterrole-operator.yaml
@@ -90,15 +90,30 @@ rules:
     verbs:
       - get
       - update
-  {{- if eq (default false .Values.olm) true}}
+  {{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
   - apiGroups:
       - security.openshift.io
     resourceNames:
-      - host
       - privileged
+      - nonroot-v2
     resources:
       - securitycontextconstraints
     verbs:
       - use
   {{ end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Release.Name }}
+  labels:
+    {{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ .Release.Name }}
+  apiGroup: rbac.authorization.k8s.io
 {{ end }}