From 3e2ebd04cac6681290fe4a0426d604d9ddd30158 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Patryk=20Ma=C5=82ek?= Date: Mon, 10 Jun 2024 13:55:33 +0200 Subject: [PATCH] feat(kong): add rbac policy rules for customentities (#1081) * feat(kong): add rbac policy rules for customentities * chore: update golden tests * chore: do not release 2.39.0 just yet --- charts/kong/CHANGELOG.md | 2 + .../custom-entities-rbac-3.2-values.snap | 975 ++++++++++++++++++ .../ci/custom-entities-rbac-3.2-values.yaml | 19 + charts/kong/templates/_helpers.tpl | 18 + 4 files changed, 1014 insertions(+) create mode 100644 charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap create mode 100644 charts/kong/ci/custom-entities-rbac-3.2-values.yaml diff --git a/charts/kong/CHANGELOG.md b/charts/kong/CHANGELOG.md index 1189420fd..3018cb3ee 100644 --- a/charts/kong/CHANGELOG.md +++ b/charts/kong/CHANGELOG.md @@ -21,6 +21,8 @@ Earlier versions checked all Secrets and did not require labels, interfering with non-KIC labels. Requires KIC 3.0+. [#1061](https://github.com/Kong/charts/pull/1061) +* Add RBAC policy rules for Custom Entities + [#1081](https://github.com/Kong/charts/pull/1081) ## 2.38.0 diff --git a/charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap b/charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap new file mode 100644 index 000000000..a85a1c638 --- /dev/null +++ b/charts/kong/ci/__snapshots__/custom-entities-rbac-3.2-values.snap @@ -0,0 +1,975 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default +--- +apiVersion: v1 +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validation-webhook-ca-keypair + namespace: default +type: kubernetes.io/tls +--- +apiVersion: v1 +data: + tls.crt: '###DYNAMIC_FIELD###' + tls.key: '###DYNAMIC_FIELD###' +kind: Secret +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validation-webhook-keypair + namespace: default +type: kubernetes.io/tls +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong +rules: + - apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update + - apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - konglicenses + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - konglicenses/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch + - apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: chartsnap-kong +subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resourceNames: + - kong-ingress-controller-leader-kong-kong + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - services + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: chartsnap-kong +subjects: + - kind: ServiceAccount + name: chartsnap-kong + namespace: default +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validation-webhook + namespace: default +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-manager + namespace: default +spec: + ports: + - name: kong-manager + port: 8002 + protocol: TCP + targetPort: 8002 + - name: kong-manager-tls + port: 8445 + protocol: TCP + targetPort: 8445 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: NodePort +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + enable-metrics: "true" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-proxy + namespace: default +spec: + ports: + - name: kong-proxy + port: 80 + protocol: TCP + targetPort: 8000 + - name: kong-proxy-tls + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + type: LoadBalancer +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/name: kong + template: + metadata: + annotations: + kuma.io/gateway: enabled + kuma.io/service-account-token-volume: chartsnap-kong-token + traffic.sidecar.istio.io/includeInboundPorts: "" + labels: + app: chartsnap-kong + app.kubernetes.io/component: app + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + version: "3.6" + spec: + automountServiceAccountToken: false + containers: + - args: null + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTROLLER_ADMISSION_WEBHOOK_LISTEN + value: 0.0.0.0:8080 + - name: CONTROLLER_ANONYMOUS_REPORTS + value: "false" + - name: CONTROLLER_ELECTION_ID + value: kong-ingress-controller-leader-kong + - name: CONTROLLER_INGRESS_CLASS + value: kong + - name: CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY + value: "true" + - name: CONTROLLER_KONG_ADMIN_URL + value: https://localhost:8444 + - name: CONTROLLER_PUBLISH_SERVICE + value: default/chartsnap-kong-proxy + image: kong/nightly-ingress-controller:2024-06-09 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: ingress-controller + ports: + - containerPort: 8080 + name: webhook + protocol: TCP + - containerPort: 10255 + name: cmetrics + protocol: TCP + - containerPort: 10254 + name: cstatus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /readyz + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /admission-webhook + name: webhook-cert + readOnly: true + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: chartsnap-kong-token + readOnly: true + - env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: "off" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: "off" + - name: KONG_NGINX_DAEMON + value: "off" + image: kong:3.6 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - kong + - quit + - --wait=15 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + name: proxy + ports: + - containerPort: 8000 + name: proxy + protocol: TCP + - containerPort: 8443 + name: proxy-tls + protocol: TCP + - containerPort: 8100 + name: status + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /status + port: status + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + initContainers: + - command: + - rm + - -vrf + - $KONG_PREFIX/pids + env: + - name: KONG_ADMIN_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_GUI_ACCESS_LOG + value: /dev/stdout + - name: KONG_ADMIN_GUI_ERROR_LOG + value: /dev/stderr + - name: KONG_ADMIN_LISTEN + value: 127.0.0.1:8444 http2 ssl, [::1]:8444 http2 ssl + - name: KONG_ANONYMOUS_REPORTS + value: "off" + - name: KONG_CLUSTER_LISTEN + value: "off" + - name: KONG_DATABASE + value: "off" + - name: KONG_KIC + value: "on" + - name: KONG_LUA_PACKAGE_PATH + value: /opt/?.lua;/opt/?/init.lua;; + - name: KONG_NGINX_WORKER_PROCESSES + value: "2" + - name: KONG_PORTAL_API_ACCESS_LOG + value: /dev/stdout + - name: KONG_PORTAL_API_ERROR_LOG + value: /dev/stderr + - name: KONG_PORT_MAPS + value: 80:8000, 443:8443 + - name: KONG_PREFIX + value: /kong_prefix/ + - name: KONG_PROXY_ACCESS_LOG + value: /dev/stdout + - name: KONG_PROXY_ERROR_LOG + value: /dev/stderr + - name: KONG_PROXY_LISTEN + value: 0.0.0.0:8000, [::]:8000, 0.0.0.0:8443 http2 ssl, [::]:8443 http2 ssl + - name: KONG_PROXY_STREAM_ACCESS_LOG + value: /dev/stdout basic + - name: KONG_PROXY_STREAM_ERROR_LOG + value: /dev/stderr + - name: KONG_ROUTER_FLAVOR + value: traditional + - name: KONG_STATUS_ACCESS_LOG + value: "off" + - name: KONG_STATUS_ERROR_LOG + value: /dev/stderr + - name: KONG_STATUS_LISTEN + value: 0.0.0.0:8100, [::]:8100 + - name: KONG_STREAM_LISTEN + value: "off" + image: kong:3.6 + imagePullPolicy: IfNotPresent + name: clear-stale-pid + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /kong_prefix/ + name: chartsnap-kong-prefix-dir + - mountPath: /tmp + name: chartsnap-kong-tmp + securityContext: {} + serviceAccountName: chartsnap-kong + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: + sizeLimit: 256Mi + name: chartsnap-kong-prefix-dir + - emptyDir: + sizeLimit: 1Gi + name: chartsnap-kong-tmp + - name: chartsnap-kong-token + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: webhook-cert + secret: + secretName: chartsnap-kong-validation-webhook-keypair +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + app.kubernetes.io/instance: chartsnap + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kong + app.kubernetes.io/version: "3.6" + helm.sh/chart: kong-2.38.0 + name: chartsnap-kong-validations + namespace: default +webhooks: + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: konghq.com/credential + operator: Exists + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None + - admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: '###DYNAMIC_FIELD###' + service: + name: chartsnap-kong-validation-webhook + namespace: default + failurePolicy: Ignore + name: validations.kong.konghq.com + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins + - kongclusterplugins + - kongingresses + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - services + - apiGroups: + - networking.k8s.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - v1alpha2 + - v1beta1 + - v1 + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes + sideEffects: None diff --git a/charts/kong/ci/custom-entities-rbac-3.2-values.yaml b/charts/kong/ci/custom-entities-rbac-3.2-values.yaml new file mode 100644 index 000000000..c3206b8d2 --- /dev/null +++ b/charts/kong/ci/custom-entities-rbac-3.2-values.yaml @@ -0,0 +1,19 @@ +env: + anonymous_reports: "off" + +ingressController: + env: + anonymous_reports: "false" + image: + repository: kong/nightly-ingress-controller + tag: "2024-06-09" + # Unreleased yet so use the nightly and the effective semver + effectiveSemver: "3.2" + +readinessProbe: + httpGet: + path: "/status" + port: status + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 1 diff --git a/charts/kong/templates/_helpers.tpl b/charts/kong/templates/_helpers.tpl index e0f2a317d..c3528b486 100644 --- a/charts/kong/templates/_helpers.tpl +++ b/charts/kong/templates/_helpers.tpl @@ -1290,6 +1290,24 @@ role sets used in the charts. Updating these requires separating out cluster resource roles into their separate templates. */}} {{- define "kong.kubernetesRBACRules" -}} +{{- if (semverCompare ">= 3.2.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update +{{- end }} {{- if and (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) (contains (print .Values.ingressController.env.feature_gates) "KongServiceFacade=true") }} - apiGroups: