Accept PodSecurityPolicy name, bind to managed ServiceAccount if provided #433
Conversation
nathancoleman
added
the
pr/no-changelog
nathancoleman
changed the title
nathancoleman
removed
the
pr/no-changelog
nathancoleman
requested review from
sarahalsmiller,
andrewstucki and
mikemorris
| @@ -73,6 +73,10 @@ spec: | |||
| namespace: | |||
| description: The Consul namespace to use for authentication. | |||
| type: string | |||
| podSecurityPolicy: | |||
There was a problem hiding this comment.
I'm not a huge fan of having this named explicitly after podSecurityPolicy since it's already going away w/ K8s 1.25; however, the replacement for it is different enough that I don't think it makes sense to try and munge the concepts together into one field. Thoughts?
There was a problem hiding this comment.
I actually like that it's so explicit. That will make it easier when we remove PSPs in a few years. What is our support policy for K8s versions?
| //+kubebuilder:rbac:groups=rbac.authorization.k8s.io,resources=roles;rolebindings,verbs=list;get;create;watch | ||
| //+kubebuilder:rbac:groups=policy,resources=podsecuritypolicies,verbs=use |
There was a problem hiding this comment.
The RBAC generated from these annotations is only used for our own testing inside this repo. These changes reflect the changes that have already been made to the Consul Helm chart in hashicorp/consul-k8s#1672
| role := config.RoleFor(gateway) | ||
| if role == nil { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
Following the pattern already established by the ServiceAccount code immediately above: return nil if we shouldn't be creating a Role and move along.
| APIGroup: "rbac.authorization.k8s.io", | ||
| Kind: "Role", |
There was a problem hiding this comment.
Looked for some constants for these but had no luck finding any in the K8s SDK
| @@ -73,6 +73,10 @@ spec: | |||
| namespace: | |||
| description: The Consul namespace to use for authentication. | |||
| type: string | |||
| podSecurityPolicy: | |||
There was a problem hiding this comment.
I actually like that it's so explicit. That will make it easier when we remove PSPs in a few years. What is our support policy for K8s versions?
| @@ -437,6 +438,14 @@ func (g *gatewayClient) DeleteService(ctx context.Context, service *core.Service | |||
| return nil | |||
| } | |||
|
|
|||
| func (g *gatewayClient) EnsureExists(ctx context.Context, obj client.Object, mutators ...func() error) (bool, error) { | |||
There was a problem hiding this comment.
This is a really clean implementation!
config/crd/bases/api-gateway.consul.hashicorp.com_gatewayclassconfigs.yaml
Outdated
Show resolved
Hide resolved
Changes proposed in this PR:
When creating a
Deploymentfor a givenGateway, we create a "managed"ServiceAccountif theGatewayClassConfigindicates that we should.With the changes in this PR, we will also create a
RoleandRoleBindingattaching the namedpodSecurityPolicyfrom theGatewayClassConfigif one has been provided.How I've tested this PR:
Create a K8s cluster that requires
PodSecurityPolicies. In GKE, this is:Install the Consul Helm chart from hashicorp/consul-k8s#1672 and exercise Consul API Gateway functionality.
How I expect reviewers to test this PR:
See above
Checklist: