Skip to content

Commit 61c1d2d

Browse files
authored
Merge pull request #4563 from illume/revert-upgrade
Revert "charts: Remove ClusterRoleBinding default"
2 parents 5757ee1 + 1c51997 commit 61c1d2d

33 files changed

+434
-3785
lines changed

Makefile

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -378,10 +378,6 @@ helm-template-test:
378378
helm-update-template-version:
379379
charts/headlamp/tests/update-version.sh
380380

381-
.PHONY: helm-test-pre-upgrade-hook
382-
helm-test-pre-upgrade-hook:
383-
charts/headlamp/tests/test-pre-upgrade-hook.sh
384-
385381
# TODO: add windows compatibility
386382
.PHONY: run-jaeger
387383
run-jaeger:

charts/headlamp/Chart.yaml

Lines changed: 0 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,6 @@ annotations:
2828
url: https://keys.openpgp.org/vks/v1/by-fingerprint/2956B7F7167769370C93730C7264DA7B85D08A37
2929
artifacthub.io/category: monitoring-logging
3030
artifacthub.io/license: Apache-2.0
31-
artifacthub.io/changes: |
32-
- kind: changed
33-
description: The default ClusterRoleBinding is no longer created by default (ClusterRoleBinding creation is now disabled). Users who want a ClusterRoleBinding must now explicitly enable it and provide a clusterRoleName value, as the default clusterRoleName is now empty.
34-
- kind: added
35-
description: Pre-upgrade hook automatically removes old ClusterRoleBinding during upgrades
3631
artifacthub.io/screenshots: |
3732
- title: Cluster Overview
3833
url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/cluster_overview.png

charts/headlamp/README.md

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -53,16 +53,6 @@ $ helm install my-headlamp headlamp/headlamp \
5353
--set ingress.hosts[0].paths[0].path=/
5454
```
5555

56-
## Upgrading
57-
58-
### Security Improvements
59-
60-
Starting from version 0.39.0, the chart implements enhanced security by default:
61-
62-
- **Removed Permissions**: The default ClusterRoleBinding creation has been disabled (`create: false`), removing the previous `cluster-admin` binding.
63-
64-
**Automatic Migration**: A pre-upgrade hook automatically removes the old `headlamp-admin` ClusterRoleBinding during upgrades to help migrate to the new security configuration. The hook only removes ClusterRoleBindings that were created by Helm, preserving any user-created resources with the same name.
65-
6656
## Configuration
6757

6858
### Core Parameters
@@ -158,8 +148,8 @@ config:
158148
| serviceAccount.create | bool | `true` | Create service account |
159149
| serviceAccount.name | string | `""` | Service account name |
160150
| serviceAccount.annotations | object | `{}` | Service account annotations |
161-
| clusterRoleBinding.create | bool | `false` | Create cluster role binding |
162-
| clusterRoleBinding.clusterRoleName | string | `""` | Kubernetes ClusterRole name |
151+
| clusterRoleBinding.create | bool | `true` | Create cluster role binding |
152+
| clusterRoleBinding.clusterRoleName | string | `"cluster-admin"` | Kubernetes ClusterRole name |
163153
| clusterRoleBinding.annotations | object | `{}` | Cluster role binding annotations |
164154
| hostUsers | bool | `true` | Run in host uid namespace |
165155
| podSecurityContext | object | `{}` | Pod security context (e.g., fsGroup: 2000) |

charts/headlamp/templates/NOTES.txt

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -20,15 +20,13 @@
2020
echo "Visit http://127.0.0.1:8080 to use your application"
2121
kubectl --namespace {{ include "headlamp.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
2222
{{- end }}
23+
{{- if .Values.clusterRoleBinding.create }}
2324
{{- if and ( ge .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "24" ) }}
24-
2. Create a service account using
25-
kubectl create serviceaccount {{ include "headlamp.serviceAccountName" . }}-admin --namespace {{ include "headlamp.namespace" . }}
26-
3. Create a clusterrolebinding using
27-
kubectl create clusterrolebinding {{ include "headlamp.serviceAccountName" . }}-admin --clusterrole=cluster-admin --serviceaccount={{ include "headlamp.namespace" . }}:{{ include "headlamp.serviceAccountName" . }}-admin
28-
4. Get the token using
29-
kubectl create token {{ include "headlamp.serviceAccountName" . }}-admin --namespace {{ include "headlamp.namespace" . }}
25+
2. Get the token using
26+
kubectl create token {{ include "headlamp.serviceAccountName" . }} --namespace {{ include "headlamp.namespace" . }}
3027
{{- else }}
31-
5. Get the clusterrolebinding token using
28+
2. Get the clusterrolebinding token using
3229
export SECRET=$(kubectl get secrets --namespace {{ include "headlamp.namespace" . }} -o custom-columns=":metadata.name" | grep "{{ include "headlamp.fullname" . }}-token")
3330
kubectl get secret $SECRET --namespace {{ include "headlamp.namespace" . }} --template=\{\{.data.token\}\} | base64 --decode
3431
{{- end }}
32+
{{- end }}

charts/headlamp/templates/clusterrolebinding.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
apiVersion: rbac.authorization.k8s.io/v1
33
kind: ClusterRoleBinding
44
metadata:
5-
name: {{ include "headlamp.fullname" . }}
5+
name: {{ include "headlamp.fullname" . }}-admin
66
labels:
77
{{- include "headlamp.labels" . | nindent 4 }}
88
{{- with .Values.clusterRoleBinding.annotations }}
@@ -12,7 +12,7 @@ metadata:
1212
roleRef:
1313
apiGroup: rbac.authorization.k8s.io
1414
kind: ClusterRole
15-
name: {{ required "clusterRoleBinding.clusterRoleName is required when clusterRoleBinding.create is true" .Values.clusterRoleBinding.clusterRoleName }}
15+
name: {{ .Values.clusterRoleBinding.clusterRoleName }}
1616
subjects:
1717
- kind: ServiceAccount
1818
name: {{ include "headlamp.serviceAccountName" . }}

charts/headlamp/templates/pre-upgrade-cleanup.yaml

Lines changed: 0 additions & 127 deletions
This file was deleted.

0 commit comments

Comments
 (0)