feat(chart): allow specificing additional controller rbac

oliverbaehler · oliverbaehler · commit e71f06f68ec0 · 2026-06-08T19:43:19.000+02:00
Signed-off-by: Oliver Baehler &lt;oliver@sudo-i.net&gt;
diff --git a/charts/capsule/README.md b/charts/capsule/README.md
@@ -143,9 +143,11 @@ The following Values have changed key or Value:
 | manager.options.userNames | list | `[]` | DEPRECATED: use users properties. Names of the users considered as Capsule users. |
 | manager.options.users | list | `[{"kind":"Group","name":"projectcapsule.dev"}]` | Define entities which are considered part of the Capsule construct. Users not mentioned here will be ignored by Capsule |
 | manager.options.workers | int | `1` | Workers (MaxConcurrentReconciles) is the maximum number of concurrent Reconciles which can be run (ALPHA). |
+| manager.rbac.clusterRole.extraResources | list | `[]` |  |
 | manager.rbac.create | bool | `true` | Specifies whether RBAC resources should be created. |
 | manager.rbac.existingClusterRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
 | manager.rbac.existingRoles | list | `[]` | Specifies further cluster roles to be added to the Capsule manager service account. |
+| manager.rbac.role.extraResources | list | `[]` |  |
 | manager.rbac.strict | bool | `false` | Strongly restrict the RBAC assigned to Capsule Controller. When set to true you must aggregate further permissions by yourself. |
 | manager.readinessProbe | object | `{"httpGet":{"path":"/readyz","port":10080}}` | Configure the readiness probe using Deployment probe spec |
 | manager.resources | object | `{}` | Set the resource requests/limits for the Capsule manager container |
diff --git a/charts/capsule/ci/test-values.yaml b/charts/capsule/ci/test-values.yaml
@@ -7,10 +7,19 @@ manager:
   options:
     capsuleUserGroups: ["custom-group-1", "custom-group-2"]
     userNames: ["custom-user-1", "custom-user-2"]
-
   rbac:
     create: true
     existingClusterRoles:
     - "view"
     existingRoles:
     - "some-role"
+    role:
+      extraResources:
+        - apiGroups: ["storage.k8s.io"]
+          resources: ["storageclasses"]
+          verbs: ["get", "list", "watch", "update", "patch"]
+    clusterRole:
+      extraResources:
+        - apiGroups: ["storage.k8s.io"]
+          resources: ["storageclasses"]
+          verbs: ["get", "list", "watch", "update", "patch"]
diff --git a/charts/capsule/templates/rbac.yaml b/charts/capsule/templates/rbac.yaml
@@ -1,5 +1,39 @@
 {{- if or (and $.Values.crds.exclusive $.Values.crds.createRBAC) (not $.Values.crds.exclusive) }}
   {{- if $.Values.manager.rbac.create }}
+    {{- with .Values.manager.rbac.clusterRole.extraResources }}
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: capsule:{{ include "capsule.fullname" $ }}:extra
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+  {{- with $.Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: capsule:{{ $.Release.Name }}:extra
+subjects:
+- kind: ServiceAccount
+  name: {{ include "capsule.serviceAccountName" $ }}
+  namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: capsule:{{ $.Release.Name }}:extra
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+  {{- with $.Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -369,6 +403,40 @@ rules:
   - update
   - patch
   - delete
+{{- with .Values.manager.rbac.role.extraResources }}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: capsule:{{ include "capsule.fullname" $ }}:extra
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+  {{- with $.Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: capsule:{{ $.Release.Name }}:extra
+subjects:
+- kind: ServiceAccount
+  name: {{ include "capsule.serviceAccountName" $ }}
+  namespace: {{ $.Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: capsule:{{ $.Release.Name }}:extra
+  labels:
+    {{- include "capsule.labels" $ | nindent 4 }}
+  {{- with $.Values.customAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
@@ -388,7 +456,6 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get", "list", "watch", "create", "update", "patch"]
-
 ---
 kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/charts/capsule/values.schema.json b/charts/capsule/values.schema.json
@@ -508,6 +508,14 @@
                 "rbac": {
                     "type": "object",
                     "properties": {
+                        "clusterRole": {
+                            "type": "object",
+                            "properties": {
+                                "extraResources": {
+                                    "type": "array"
+                                }
+                            }
+                        },
                         "create": {
                             "description": "Specifies whether RBAC resources should be created.",
                             "type": "boolean"
@@ -520,6 +528,14 @@
                             "description": "Specifies further cluster roles to be added to the Capsule manager service account.",
                             "type": "array"
                         },
+                        "role": {
+                            "type": "object",
+                            "properties": {
+                                "extraResources": {
+                                    "type": "array"
+                                }
+                            }
+                        },
                         "strict": {
                             "description": "Strongly restrict the RBAC assigned to Capsule Controller. When set to true you must aggregate further permissions by yourself.",
                             "type": "boolean"
diff --git a/charts/capsule/values.yaml b/charts/capsule/values.yaml
@@ -131,6 +131,17 @@ manager:
     existingRoles: []
     # - namespace-admin
 
+    role:
+      # - Extra resources provided to the capsule controller ServiceAccount. This can be used to grant permissions for custom resources which are not managed by capsule, but still need to be accessed by the controller. When using this option, you need to provide the name of the ClusterRole which will be created with the specified rules and then bind it to the Capsule ServiceAccount.
+      extraResources: []
+
+    clusterRole:
+      # - Extra resources provided to the capsule controller ServiceAccount. This can be used to grant permissions for custom resources which are not managed by capsule, but still need to be accessed by the controller. When using this option, you need to provide the name of the ClusterRole which will be created with the specified rules and then bind it to the Capsule ServiceAccount.
+      extraResources: []
+      #  - apiGroups: ["storage.k8s.io"]
+      #    resources: ["storageclasses"]
+      #    verbs: ["get", "list", "watch", "update", "patch"]
+
   # -- Set the controller deployment mode as `Deployment` or `DaemonSet`.
   kind: Deployment
 
