search

kestra-io / helm-charts

Apache License 2.0
26 stars 25 forks source link

Embedded cluster role to make podCreate working out of the box #38

Open aballiet opened 4 months ago

aballiet commented 4 months ago

Feature description

Currently ones need to setup cluster role for Kestra in order to make it able to create Pods and stream execution logs.

We do it like this : 

resource "kubernetes_cluster_role" "pod_creator" {
  metadata {
    name = "pod-creator"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "pods"]
    verbs      = ["get", "list", "watch", "create", "delete"]
  }
}

resource "kubernetes_cluster_role" "pod_log_reader" {
  metadata {
    name = "pod-log-reader"
  }

  rule {
    api_groups = [""]
    resources  = ["pods/log"]
    verbs      = ["get", "list"]
  }
}

resource "kubernetes_cluster_role" "pod_executor" {
  metadata {
    name = "pod-executor"
  }

  rule {
    api_groups = [""]
    resources  = ["pods/exec"]
    verbs      = ["get", "post"]
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_creator" {
  metadata {
    name = "kestra-pod-creator"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-creator"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_log_reader" {
  metadata {
    name = "kestra-pod-log-reader"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-log-reader"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_executor" {
  metadata {
    name = "kestra-pod-executor"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-executor"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

Whereas, it could be embedded directly in the Kestra helm chart using templating like Airbyte does here : 

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "airbyte.serviceAccountName" . }}-role
rules:
  - apiGroups: ["*"]
    resources: ["jobs", "pods", "pods/log", "pods/exec", "pods/attach"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # over-permission for now
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "airbyte.serviceAccountName" . }}-binding
roleRef:
  apiGroup: ""
  kind: Role
  name: {{ include "airbyte.serviceAccountName" . }}-role
subjects:
  - kind: ServiceAccount
    name: {{ include "airbyte.serviceAccountName" . }}
{{- end }}