kubernetes-sigs
diff --git a/‎Makefile‎
Lines changed: 0 additions & 4 deletions b/‎Makefile‎
Lines changed: 0 additions & 4 deletions
diff --git a/‎charts/headlamp/Chart.yaml‎
Lines changed: 0 additions & 5 deletions b/‎charts/headlamp/Chart.yaml‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎charts/headlamp/README.md‎
Lines changed: 2 additions & 12 deletions b/‎charts/headlamp/README.md‎
Lines changed: 2 additions & 12 deletions
diff --git a/‎charts/headlamp/templates/NOTES.txt‎
Lines changed: 5 additions & 7 deletions b/‎charts/headlamp/templates/NOTES.txt‎
Lines changed: 5 additions & 7 deletions
diff --git a/‎charts/headlamp/templates/clusterrolebinding.yaml‎
Lines changed: 2 additions & 2 deletions b/‎charts/headlamp/templates/clusterrolebinding.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎charts/headlamp/templates/pre-upgrade-cleanup.yaml‎
Lines changed: 0 additions & 127 deletions b/‎charts/headlamp/templates/pre-upgrade-cleanup.yaml‎
Lines changed: 0 additions & 127 deletions
@@ -378,10 +378,6 @@ helm-template-test:
 helm-update-template-version:
 	charts/headlamp/tests/update-version.sh
 
-.PHONY: helm-test-pre-upgrade-hook
-helm-test-pre-upgrade-hook:
-	charts/headlamp/tests/test-pre-upgrade-hook.sh
-
 # TODO: add windows compatibility
 .PHONY: run-jaeger
 run-jaeger:
 
@@ -28,11 +28,6 @@ annotations:
     url: https://keys.openpgp.org/vks/v1/by-fingerprint/2956B7F7167769370C93730C7264DA7B85D08A37
   artifacthub.io/category: monitoring-logging
   artifacthub.io/license: Apache-2.0
-  artifacthub.io/changes: |
-    - kind: changed
-      description: The default ClusterRoleBinding is no longer created by default (ClusterRoleBinding creation is now disabled). Users who want a ClusterRoleBinding must now explicitly enable it and provide a clusterRoleName value, as the default clusterRoleName is now empty.
-    - kind: added
-      description: Pre-upgrade hook automatically removes old ClusterRoleBinding during upgrades
   artifacthub.io/screenshots: |
     - title: Cluster Overview
       url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/cluster_overview.png
 
@@ -53,16 +53,6 @@ $ helm install my-headlamp headlamp/headlamp \
   --set ingress.hosts[0].paths[0].path=/
 ```
 
-## Upgrading
-
-### Security Improvements
-
-Starting from version 0.39.0, the chart implements enhanced security by default:
-
-- **Removed Permissions**: The default ClusterRoleBinding creation has been disabled (`create: false`), removing the previous `cluster-admin` binding.
-
-**Automatic Migration**: A pre-upgrade hook automatically removes the old `headlamp-admin` ClusterRoleBinding during upgrades to help migrate to the new security configuration. The hook only removes ClusterRoleBindings that were created by Helm, preserving any user-created resources with the same name.
-
 ## Configuration
 
 ### Core Parameters
@@ -158,8 +148,8 @@ config:
 | serviceAccount.create | bool | `true` | Create service account |
 | serviceAccount.name | string | `""` | Service account name |
 | serviceAccount.annotations | object | `{}` | Service account annotations |
-| clusterRoleBinding.create | bool | `false` | Create cluster role binding |
-| clusterRoleBinding.clusterRoleName | string | `""` | Kubernetes ClusterRole name |
+| clusterRoleBinding.create | bool | `true` | Create cluster role binding |
+| clusterRoleBinding.clusterRoleName | string | `"cluster-admin"` | Kubernetes ClusterRole name |
 | clusterRoleBinding.annotations | object | `{}` | Cluster role binding annotations |
 | hostUsers | bool | `true` | Run in host uid namespace |
 | podSecurityContext | object | `{}` | Pod security context (e.g., fsGroup: 2000) |
 
@@ -20,15 +20,13 @@
   echo "Visit http://127.0.0.1:8080 to use your application"
   kubectl --namespace {{ include "headlamp.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
+{{- if .Values.clusterRoleBinding.create }}
   {{- if and ( ge .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "24" ) }}
-2. Create a service account using
-  kubectl create serviceaccount {{ include "headlamp.serviceAccountName" . }}-admin --namespace {{ include "headlamp.namespace" . }}
-3. Create a clusterrolebinding using
-  kubectl create clusterrolebinding {{ include "headlamp.serviceAccountName" . }}-admin --clusterrole=cluster-admin --serviceaccount={{ include "headlamp.namespace" . }}:{{ include "headlamp.serviceAccountName" . }}-admin
-4. Get the token using
-  kubectl create token {{ include "headlamp.serviceAccountName" . }}-admin --namespace {{ include "headlamp.namespace" . }}
+2. Get the token using
+  kubectl create token {{ include "headlamp.serviceAccountName" . }} --namespace {{ include "headlamp.namespace" . }}
   {{- else }}
-5. Get the clusterrolebinding token using
+2. Get the clusterrolebinding token using
   export SECRET=$(kubectl get secrets --namespace {{ include "headlamp.namespace" . }} -o custom-columns=":metadata.name" | grep "{{ include "headlamp.fullname" . }}-token")
   kubectl get secret $SECRET --namespace {{ include "headlamp.namespace" . }} --template=\{\{.data.token\}\} | base64 --decode
   {{- end }}
+{{- end }}
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ include "headlamp.fullname" . }}
+  name: {{ include "headlamp.fullname" . }}-admin
   labels:
     {{- include "headlamp.labels" . | nindent 4 }}
   {{- with .Values.clusterRoleBinding.annotations }}
@@ -12,7 +12,7 @@ metadata:
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ required "clusterRoleBinding.clusterRoleName is required when clusterRoleBinding.create is true" .Values.clusterRoleBinding.clusterRoleName }}
+  name: {{ .Values.clusterRoleBinding.clusterRoleName }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "headlamp.serviceAccountName" . }}