This is a feature to create Role & RoleBinding entries on a per namespace basis to support deploying workspaces in separate namespace to where Coder is deployed. The idea behind this is to avoid the creation of custom RBAC entries or the use of ClusterRoles (in order to maintain priciple of least privilege).
If you have used AI to produce some or all of this PR, please ensure you have read ourAI Contribution guidelines before submitting.
This is a blink assisted PR.
Examplehelm template withoutcoder.serviceAccount.workspaceNamespaces enabled (existing behaviour as of current release) is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace.
➜ coder git:(feat/helm_namespace_rbac_improvements) ✗ helm template -n coder coder . --set coder.image.tag=v2.25.1---...---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: coder-workspace-perms namespace: coderrules: - apiGroups: [""] resources: ["pods"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: "coder" namespace: codersubjects: - kind: ServiceAccount name: "coder"roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: coder-workspace-perms---
Examplehelm templatewithcoder.serviceAccount.workspaceNamespaces enabled is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace PLUS a Role and RoleBinding in thedev-ws namespace with each of the RoleBindings referencing the coder SA in the coder (.Release.Namespace) namespace:
➜ coder git:(feat/helm_namespace_rbac_improvements) ✗ helm template -n coder coder . --set coder.image.tag=v2.25.1 --set-json 'coder.serviceAccount.workspaceNamespaces=[{"name":"dev-ws","workspacePerms":true,"enableDeployments":true,"extraRules":[]}]' ---...---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: coder-workspace-perms namespace: coderrules: - apiGroups: [""] resources: ["pods"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata: name: coder-workspace-perms namespace: dev-wsrules: - apiGroups: [""] resources: ["pods"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - apps resources: - deployments verbs: - create - delete - deletecollection - get - list - patch - update - watch---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: "coder" namespace: codersubjects: - kind: ServiceAccount name: "coder"roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: coder-workspace-perms---# Source: coder/templates/rbac.yamlapiVersion: rbac.authorization.k8s.io/v1kind: RoleBindingmetadata: name: "coder" namespace: dev-wssubjects: - kind: ServiceAccount name: "coder" namespace: coderroleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: coder-workspace-perms---
Uh oh!
There was an error while loading.Please reload this page.
This is a feature to create Role & RoleBinding entries on a per namespace basis to support deploying workspaces in separate namespace to where Coder is deployed. The idea behind this is to avoid the creation of custom RBAC entries or the use of ClusterRoles (in order to maintain priciple of least privilege).
This is a blink assisted PR.
Example
helm templatewithoutcoder.serviceAccount.workspaceNamespacesenabled (existing behaviour as of current release) is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace.Example
helm templatewithcoder.serviceAccount.workspaceNamespacesenabled is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace PLUS a Role and RoleBinding in thedev-wsnamespace with each of the RoleBindings referencing the coder SA in the coder (.Release.Namespace) namespace: