helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon kestra-io

Embedded cluster role to make podCreate working out of the box

Open aballiet opened this issue 1 year ago • 2 comments
trafficstars

Feature description

Currently ones need to setup cluster role for Kestra in order to make it able to create Pods and stream execution logs.

We do it like this :

resource "kubernetes_cluster_role" "pod_creator" {
  metadata {
    name = "pod-creator"
  }

  rule {
    api_groups = [""]
    resources  = ["namespaces", "pods"]
    verbs      = ["get", "list", "watch", "create", "delete"]
  }
}

resource "kubernetes_cluster_role" "pod_log_reader" {
  metadata {
    name = "pod-log-reader"
  }

  rule {
    api_groups = [""]
    resources  = ["pods/log"]
    verbs      = ["get", "list"]
  }
}

resource "kubernetes_cluster_role" "pod_executor" {
  metadata {
    name = "pod-executor"
  }

  rule {
    api_groups = [""]
    resources  = ["pods/exec"]
    verbs      = ["get", "post"]
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_creator" {
  metadata {
    name = "kestra-pod-creator"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-creator"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_log_reader" {
  metadata {
    name = "kestra-pod-log-reader"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-log-reader"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

resource "kubernetes_cluster_role_binding" "kestra_pod_executor" {
  metadata {
    name = "kestra-pod-executor"
  }
  role_ref {
    api_group = "rbac.authorization.k8s.io"
    kind      = "ClusterRole"
    name      = "pod-executor"
  }
  subject {
    kind      = "User"
    name      = "system:serviceaccount:kestra:default"
    namespace = "kestra"
  }
}

Whereas, it could be embedded directly in the Kestra helm chart using templating like Airbyte does here :

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "airbyte.serviceAccountName" . }}-role
rules:
  - apiGroups: ["*"]
    resources: ["jobs", "pods", "pods/log", "pods/exec", "pods/attach"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] # over-permission for now
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "airbyte.serviceAccountName" . }}-binding
roleRef:
  apiGroup: ""
  kind: Role
  name: {{ include "airbyte.serviceAccountName" . }}-role
subjects:
  - kind: ServiceAccount
    name: {{ include "airbyte.serviceAccountName" . }}
{{- end }}

aballiet avatar May 07 '24 17:05 aballiet