fix(rbac)!: nodes API permissions for Traefik v3.1+

jnoordsij · web-flow · commit 647439d061fc · 2024-07-03T11:14:04.000+02:00
diff --git a/traefik/templates/rbac/clusterrole.yaml b/traefik/templates/rbac/clusterrole.yaml
@@ -1,5 +1,9 @@
-{{- if and .Values.rbac.enabled (or .Values.providers.kubernetesIngress.enabled (not .Values.rbac.namespaced)) }}
-{{- if not (and .Values.rbac.namespaced .Values.providers.kubernetesIngress.disableIngressClassLookup) }}
+{{- if .Values.rbac.enabled }}
+{{- if or
+       (semverCompare ">=v3.1.0-0" (.Values.image.tag | default .Chart.AppVersion))
+       (not .Values.rbac.namespaced)
+       (and .Values.rbac.namespaced .Values.providers.kubernetesIngress.enabled (not .Values.providers.kubernetesIngress.disableIngressClassLookup))
+}}
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
@@ -11,6 +15,16 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-{{ . }}: "true"
     {{- end }}
 rules:
+  {{- if semverCompare ">=v3.1.0-0" (.Values.image.tag | default .Chart.AppVersion) }}
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  {{- end }}
   - apiGroups:
       - extensions
       - networking.k8s.io
diff --git a/traefik/templates/rbac/clusterrolebinding.yaml b/traefik/templates/rbac/clusterrolebinding.yaml
@@ -1,5 +1,9 @@
-{{- if and .Values.rbac.enabled (or .Values.providers.kubernetesIngress.enabled (not .Values.rbac.namespaced)) -}}
-{{- if or (not .Values.rbac.namespaced) (not .Values.providers.kubernetesIngress.disableIngressClassLookup) -}}
+{{- if .Values.rbac.enabled }}
+{{- if or
+       (semverCompare ">=v3.1.0-0" (.Values.image.tag | default .Chart.AppVersion))
+       (not .Values.rbac.namespaced)
+       (and .Values.rbac.namespaced .Values.providers.kubernetesIngress.enabled (not .Values.providers.kubernetesIngress.disableIngressClassLookup))
+}}
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/traefik/templates/rbac/role.yaml b/traefik/templates/rbac/role.yaml
@@ -27,7 +27,6 @@ rules:
   - apiGroups:
       - ""
     resources:
-      - nodes
       - services
     verbs:
       - get
@@ -164,7 +163,6 @@ rules:
     resources:
       - namespaces
       - pods
-      - nodes
     verbs:
       - get
       - list
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -89,8 +89,10 @@ tests:
           path: metadata.name
           pattern: ^.*-NAMESPACE$
         template: rbac/clusterrolebinding.yaml
-  - it: should not create cluster scoped RBAC related objects when namespaced and not using ingressclass
+  - it: should not create cluster scoped RBAC related objects when namespaced and not using ingressclass and version <3.1
     set:
+      image:
+        tag: v3.0.0
       rbac:
         namespaced: true
       providers:
@@ -492,15 +494,15 @@ tests:
               - get
               - list
               - watch
-  - it: cluster rbac should not be created when rbac is namespaced, disableIngressClassLookup is true and version is v3
+  - it: cluster rbac should not be created when rbac is namespaced, disableIngressClassLookup is true and version is < v3.1
     set:
+      image:
+        tag: v3.0.0-beta3
       rbac:
         namespaced: true
       providers:
         kubernetesIngress:
           disableIngressClassLookup: true
-      image:
-        tag: v3.0.0-beta3
     asserts:
       - isKind:
           of: Role
@@ -514,7 +516,29 @@ tests:
       - hasDocuments:
           count: 0
         template: rbac/clusterrolebinding.yaml
-  - it: both cluster and namespace rbac should be created when rbac is namespaced, kubernetesIngress is enabled and version is v2
+  - it: cluster rbac should be created when rbac is namespaced, disableIngressClassLookup is true and version is >= v3.1
+    set:
+      image:
+        tag: v3.1.0-rc2
+      rbac:
+        namespaced: true
+      providers:
+        kubernetesIngress:
+          disableIngressClassLookup: true
+    asserts:
+      - isKind:
+          of: Role
+        template: rbac/role.yaml
+      - isKind:
+          of: RoleBinding
+        template: rbac/rolebinding.yaml
+      - isKind:
+          of: ClusterRole
+        template: rbac/clusterrole.yaml
+      - isKind:
+          of: ClusterRoleBinding
+        template: rbac/clusterrolebinding.yaml
+  - it: both cluster and namespace rbac should be created when rbac is namespaced, kubernetesIngress is enabled
     set:
       rbac:
         namespaced: true
@@ -796,7 +820,6 @@ tests:
             apiGroups:
               - ""
             resources:
-              - nodes
               - services
             verbs:
               - get
@@ -1000,7 +1023,6 @@ tests:
             resources:
               - namespaces
               - pods
-              - nodes
             verbs:
               - get
               - list
@@ -1147,4 +1169,37 @@ tests:
               - list
               - get
               - watch
-
+  - it: should not provide nodes RBACS for version < v3.1 if rbac are namespaced
+    set:
+      image:
+        tag: v3.0.1
+      rbac:
+        enabled: true
+        namespaced: true
+      providers:
+        kubernetesIngress:
+          disableIngressClassLookup: true
+    asserts:
+      - template: rbac/clusterrole.yaml
+        hasDocuments:
+          count: 0
+  - it: should provide nodes RBACS for version >= v3.1 even if rbac are namespaced
+    set:
+      image:
+        tag: v3.1.0
+      rbac:
+        enabled: true
+        namespaced: true
+    asserts:
+      - template: rbac/clusterrole.yaml
+        contains:
+          path: rules
+          content:
+            apiGroups:
+              - ""
+            resources:
+              - nodes
+            verbs:
+              - get
+              - list
+              - watch
