aws-efs-csi-driver
aws-efs-csi-driver copied to clipboard
kubernetes-sigs
Create a values.yaml flag to control ClusterRole permissions required for cross-account EFS mounting
Is your feature request related to a problem?/Why is this needed
There seem to have been previous issues related to this. To achieve cross account EFS mounting, the efs-csi-controller needs to be able to get/list/watch secrets in the cluster. This was raised here: https://github.com/kubernetes-sigs/aws-efs-csi-driver/issues/696 in the past and simply the response was that secrets were disabled due to security reasons, which is understandable.
This is needed as it would mean that consumers don't have to update the templates each time we pull a new version of the chart to our local or environment.
Describe the solution you'd like in detail
Instead of disabling it entirely using comments, could I suggest we add a flag to the values.yaml for EFS CSI Driver to control whether the template uses the policy for the ClusterRole that includes or excludes the secret permissions. Example values.yaml flag: controller.crossAccountPermission: true.
In the controller-serviceaccount.yaml template, we can then add an if statement to deploy it if it is set to true. Example below:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: efs-csi-external-provisioner-role
labels:
app.kubernetes.io/name: {{ include "aws-efs-csi-driver.name" . }}
rules:
...
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
{{- if .Values.controller.crossAccountPermission }}
- apiGroups: [ "" ]
resources: [ "secrets" ]
verbs: [ "get", "watch", "list" ]
{{- end }}
A sample PR has been raised: https://github.com/kubernetes-sigs/aws-efs-csi-driver/pull/1149. Describe alternatives you've considered
Currently, we are overriding the templates' folder each time we pull the latest EFS CSI Driver helm chart to uncomment the fields for secrets.
Additional context N/A.
