MartijnWoudstra
commented
1 month ago @emagiz you should modify the following files for this to work.
charts/portainer/templates/serviceaccount.yamlcharts/portainer/templates/rbac.yamlcharts/portainer/templates/deployment.yaml//need to add condition to not include service account when values.rbac=false not the file under deploy
Are you sure you want to disable the SA when disabling RBAC? This would disable the option to create an SA without having the RBAC. One possible usecase for having a SA but not a CRB would be to use AWS IAM roles for by assigning them to SA's. (see https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html). I understand the view that portainer does not need the SA, but you would block people from having a flexible chart.
samdulam
It seems that the ClusterRoleBinding to the admin ClusterRole is necessary for Portainer to function fully in Kubernetes, particularly for deployments beyond Edge compute features. This enables the option to disable RBAC when full Kubernetes cluster management is not needed.
The current Portainer Helm chart does not provide an option to disable the RBAC-related templates, including ClusterRoleBinding creation, via the values file. This lack of configurability prevents us from aligning with our security requirements.
A proposed solution would be to include a flag in the values file like: rbac: true/false and create the RBAC template accordingly