charts: Remove ClusterRole default

charts: reduce default ClusterRoleBinding permissions

- Change default ClusterRole from 'cluster-admin' to 'view' in
values.yaml.
- Remove '-admin' suffix from ClusterRoleBinding name to reflect the
generic usage.

charts: update docs and tests for reduced permissions

Update README.md to reflect new default clusterRoleName of "view"
instead of "cluster-admin". Update all test expected templates
to use the new ClusterRoleBinding name "headlamp" (removed -admin
suffix) and roleRef name "view" instead of "cluster-admin".

charts: add pre-upgrade hook for ClusterRoleBinding migration

Add automated upgrade path for breaking changes introduced by the
security improvements. A pre-upgrade hook now automatically removes
the old "headlamp-admin" ClusterRoleBinding during upgrades, ensuring
existing deployments properly migrate to the new "headlamp" binding
with reduced permissions.

Changes:
- Add pre-upgrade-cleanup.yaml hook template that safely deletes old
binding
- Hook verifies ClusterRoleBinding was created by Helm before deletion
- Checks app.kubernetes.io labels to prevent removing user-created
resources
- Update Chart.yaml with changelog annotations
- Add upgrade documentation to README explaining security changes
- Regenerate all test expected templates to include hook resources

The hook uses a Job with minimal RBAC permissions to safely clean up
the old ClusterRoleBinding. It runs before the upgrade proceeds and
is automatically cleaned up after success. User-created
ClusterRoleBindings
with the same name are preserved.

charts: update tests, set clusterrolebiding to false by default and add instructions for creating crb manually

fixed expected test after rebasing against main

Author: cacarico

charts/headlamp/Chart.yaml

@@ -28,6 +28,11 @@ annotations:
     url: https://keys.openpgp.org/vks/v1/by-fingerprint/2956B7F7167769370C93730C7264DA7B85D08A37
   artifacthub.io/category: monitoring-logging
   artifacthub.io/license: Apache-2.0
+  artifacthub.io/changes: |
+    - kind: changed
+      description: The default ClusterRoleBinding is no longer created by default (ClusterRoleBinding creation is now disabled)
+    - kind: added
+      description: Pre-upgrade hook automatically removes old ClusterRoleBinding during upgrades
   artifacthub.io/screenshots: |
     - title: Cluster Overview
       url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/cluster_overview.png

charts/headlamp/README.md

@@ -53,6 +53,16 @@ $ helm install my-headlamp headlamp/headlamp \
   --set ingress.hosts[0].paths[0].path=/
 ```
 
+## Upgrading
+
+### Security Improvements
+
+Starting from version 0.39.0, the chart implements enhanced security by default:
+
+- **Removed Permissions**: The default ClusterRoleBinding creation has been disabled (`create: false`), removing the previous `cluster-admin` binding.
+
+**Automatic Migration**: When `clusterRoleBinding.create` is enabled, a pre-upgrade hook removes the old `headlamp-admin` ClusterRoleBinding during upgrades to help migrate to the new security configuration. If you have disabled this option or manage ClusterRoleBindings manually, you must remove any existing `headlamp-admin` ClusterRoleBinding yourself.
+
 ## Configuration
 
 ### Core Parameters
@@ -148,8 +158,8 @@ config:
 | serviceAccount.create | bool | `true` | Create service account |
 | serviceAccount.name | string | `""` | Service account name |
 | serviceAccount.annotations | object | `{}` | Service account annotations |
-| clusterRoleBinding.create | bool | `true` | Create cluster role binding |
-| clusterRoleBinding.clusterRoleName | string | `"cluster-admin"` | Kubernetes ClusterRole name |
+| clusterRoleBinding.create | bool | `false` | Create cluster role binding |
+| clusterRoleBinding.clusterRoleName | string | `""` | Kubernetes ClusterRole name |
 | clusterRoleBinding.annotations | object | `{}` | Cluster role binding annotations |
 | hostUsers | bool | `true` | Run in host uid namespace |
 | podSecurityContext | object | `{}` | Pod security context (e.g., fsGroup: 2000) |

charts/headlamp/templates/NOTES.txt

@@ -20,13 +20,15 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ include "headlamp.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
-{{- if .Values.clusterRoleBinding.create }}
   {{- if and ( ge .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "24" ) }}
-2. Get the token using
-  kubectl create token {{ include "headlamp.serviceAccountName" . }} --namespace {{ include "headlamp.namespace" . }}
+2. Create a service account using
+  kubectl create serviceaccount {{ include "headlamp.serviceAccountName" . }}-admin --namespace {{ include "headlamp.namespace" . }}
+3. Create a clusterrolebinding using
+  kubectl create clusterrolebinding {{ include "headlamp.serviceAccountName" . }}-admin --clusterrole=cluster-admin --serviceaccount={{ include "headlamp.namespace" . }}:{{ include "headlamp.serviceAccountName" . }}-admin
+4. Get the token using
+  kubectl create token {{ include "headlamp.serviceAccountName" . }}-admin --namespace {{ include "headlamp.namespace" . }}
   {{- else }}
-2. Get the clusterrolebinding token using
+5. Get the clusterrolebinding token using
   export SECRET=$(kubectl get secrets --namespace {{ include "headlamp.namespace" . }} -o custom-columns=":metadata.name" | grep "{{ include "headlamp.fullname" . }}-token")
   kubectl get secret $SECRET --namespace {{ include "headlamp.namespace" . }} --template=\{\{.data.token\}\} | base64 --decode
   {{- end }}
-{{- end }}

charts/headlamp/templates/clusterrolebinding.yaml

@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "headlamp.fullname" . }}-admin
+  name: {{ include "headlamp.fullname" . }}
   labels:
     {{- include "headlamp.labels" . | nindent 4 }}
   {{- with .Values.clusterRoleBinding.annotations }}

charts/headlamp/templates/pre-upgrade-cleanup.yaml

@@ -0,0 +1,123 @@
+{{- if .Values.clusterRoleBinding.create -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "headlamp.fullname" . }}-pre-upgrade
+  namespace: {{ include "headlamp.namespace" . }}
+  labels:
+    {{- include "headlamp.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "headlamp.fullname" . }}-pre-upgrade
+  labels:
+    {{- include "headlamp.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+rules:
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["clusterrolebindings"]
+  verbs: ["get", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "headlamp.fullname" . }}-pre-upgrade
+  labels:
+    {{- include "headlamp.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "headlamp.fullname" . }}-pre-upgrade
+subjects:
+- kind: ServiceAccount
+  name: {{ include "headlamp.fullname" . }}-pre-upgrade
+  namespace: {{ include "headlamp.namespace" . }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "headlamp.fullname" . }}-pre-upgrade
+  namespace: {{ include "headlamp.namespace" . }}
+  labels:
+    {{- include "headlamp.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-3"
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      name: {{ include "headlamp.fullname" . }}-pre-upgrade
+      labels:
+        {{- include "headlamp.labels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "headlamp.fullname" . }}-pre-upgrade
+      restartPolicy: Never
+      containers:
+      - name: pre-upgrade-cleanup
+        image: alpine/kubectl:1.35.0@sha256:e7e078c7bb25012141e5957d500834b2a5b266d6de20ecfa862b30d8a892fc7e
+        command:
+        - /bin/sh
+        - -c
+        - |
+          set -e
+          CRB_NAME="{{ include "headlamp.fullname" . }}-admin"
+          RELEASE_NAME="{{ .Release.Name }}"
+
+          echo "Checking for old ClusterRoleBinding ${CRB_NAME}..."
+
+          if ! kubectl get clusterrolebinding "${CRB_NAME}" 2>/dev/null; then
+            echo "ClusterRoleBinding ${CRB_NAME} not found, nothing to clean up"
+            exit 0
+          fi
+
+          echo "Found ClusterRoleBinding ${CRB_NAME}, verifying it was created by Helm..."
+
+          # Check if the ClusterRoleBinding has Helm labels indicating it was created by this chart
+          MANAGED_BY=$(kubectl get clusterrolebinding "${CRB_NAME}" -o jsonpath='{.metadata.labels.app\.kubernetes\.io/managed-by}' 2>/dev/null || echo "")
+          INSTANCE=$(kubectl get clusterrolebinding "${CRB_NAME}" -o jsonpath='{.metadata.labels.app\.kubernetes\.io/instance}' 2>/dev/null || echo "")
+          APP_NAME=$(kubectl get clusterrolebinding "${CRB_NAME}" -o jsonpath='{.metadata.labels.app\.kubernetes\.io/name}' 2>/dev/null || echo "")
+
+          if [ "${MANAGED_BY}" = "Helm" ] && [ "${INSTANCE}" = "${RELEASE_NAME}" ] && [ "${APP_NAME}" = "headlamp" ]; then
+            echo "Confirmed: ${CRB_NAME} was created by this Helm release (${RELEASE_NAME})"
+            echo "Deleting old ClusterRoleBinding..."
+            kubectl delete clusterrolebinding "${CRB_NAME}"
+            echo "Successfully deleted old ClusterRoleBinding"
+          else
+            echo "WARNING: ${CRB_NAME} exists but was NOT created by this Helm release"
+            echo "  managed-by: ${MANAGED_BY} (expected: Helm)"
+            echo "  instance: ${INSTANCE} (expected: ${RELEASE_NAME})"
+            echo "  app: ${APP_NAME} (expected: headlamp)"
+            echo "Skipping deletion to preserve user-created resource"
+          fi
+        resources:
+          requests:
+            cpu: 10m
+            memory: 64Mi
+          limits:
+            cpu: 100m
+            memory: 128Mi
+
+        securityContext:
+          {{- toYaml .Values.podSecurityContext | nindent 10 }}
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+      volumes:
+      - name: tmp
+        emptyDir: {}
+{{- end }}

charts/headlamp/tests/expected_templates/azure-oidc-with-validators.yaml

@@ -12,26 +12,6 @@ metadata:
     app.kubernetes.io/version: "0.39.0"
     app.kubernetes.io/managed-by: Helm
 ---
-# Source: headlamp/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: headlamp-admin
-  labels:
-    helm.sh/chart: headlamp-0.39.0
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: headlamp
-    app.kubernetes.io/version: "0.39.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: headlamp
-  namespace: default
----
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service

charts/headlamp/tests/expected_templates/default.yaml

@@ -21,26 +21,6 @@ metadata:
 type: Opaque
 data:
 ---
-# Source: headlamp/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: headlamp-admin
-  labels:
-    helm.sh/chart: headlamp-0.39.0
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: headlamp
-    app.kubernetes.io/version: "0.39.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: headlamp
-  namespace: default
----
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service

charts/headlamp/tests/expected_templates/extra-args.yaml

@@ -21,26 +21,6 @@ metadata:
 type: Opaque
 data:
 ---
-# Source: headlamp/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: headlamp-admin
-  labels:
-    helm.sh/chart: headlamp-0.39.0
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: headlamp
-    app.kubernetes.io/version: "0.39.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: headlamp
-  namespace: default
----
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service

charts/headlamp/tests/expected_templates/extra-manifests.yaml

@@ -38,26 +38,6 @@ metadata:
 data:
   injectedKey: headlamp
 ---
-# Source: headlamp/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: headlamp-admin
-  labels:
-    helm.sh/chart: headlamp-0.39.0
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: headlamp
-    app.kubernetes.io/version: "0.39.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: headlamp
-  namespace: default
----
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service

charts/headlamp/tests/expected_templates/host-users-override.yaml

@@ -21,26 +21,6 @@ metadata:
 type: Opaque
 data:
 ---
-# Source: headlamp/templates/clusterrolebinding.yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: headlamp-admin
-  labels:
-    helm.sh/chart: headlamp-0.39.0
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: headlamp
-    app.kubernetes.io/version: "0.39.0"
-    app.kubernetes.io/managed-by: Helm
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: headlamp
-  namespace: default
----
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service