samueltorres commented 2 years ago

What this PR does / why we need it:

This change aims to add the possibility of both kustomize-controller and helm-controller service accounts to not become cluster-admins.

In Kubernetes Clusters with a very agressive security posture we want to avoid to run service accounts with cluster admin privileges.

If the privileged mode is turned off we will only add service account impersonation capabilities to the kustomize-controller and helm-controller service accounts so they can only impersonate other service accounts that are usually set on the Kustomizations / Helm Releases.

Which Issue does it fix:

111

Special notes for your reviewer:

Checklist

[x] DCO signed
[x] Chart Version bumped
[x] helm-docs are updated
[x] Helm chart is tested
[x] Update artifacthub.io/changes in Chart.yaml
[x] Run make reviewable

moritzjohner-form3 commented 2 years ago

Hey @haarchri 👋 could you please take a look 🙏? It would be great to get this in :)

dwerder commented 2 years ago

Can you please add a test for the new feature and clean up the lint errors? Everything else looks good.

samueltorres commented 2 years ago

Can you review again @dwerder ? 🙏

dwerder commented 2 years ago

Can you please add a test?

samueltorres commented 2 years ago

Done :) Added some tests on the creation or the cluster roles and bindings

fluxcd-community / helm-charts

feat: Add multitenancy privileged mode #112

What this PR does / why we need it:

Which Issue does it fix:

111

Special notes for your reviewer:

Checklist