(dev-v2.6-archive) Split RBAC for ConfigMaps and Secrets

Related Issue: https://github.com/rancher/rancher/issues/29013

(partially cherry picked from commit 0fa3a06de0)

packages/rancher-monitoring/overlay/CHANGELOG.md

@@ -12,10 +12,9 @@ All notable changes from the upstream Prometheus Operator chart will be added to
 - Exposed `prometheus.prometheusSpec.ignoreNamespaceSelectors` on values.yaml and set it to `true` by default. This value instructs the default Prometheus server deployed with this chart to ignore the `namespaceSelector` field within any created ServiceMonitor or PodMonitor CRs that it selects. This prevents ServiceMonitors and PodMonitors from configuring the Prometheus scrape configuration to monitor resources outside the namespace that they are deployed in; if a user needs to have one ServiceMonitor / PodMonitor monitor resources within several namespaces, they will need to either disable this default option or create one ServiceMonitor / PodMonitor CR per namespace that they would like to monitor. Relevant fields were also updated in the default README.md
 - Added `grafana.sidecar.dashboards.searchNamespace` to values.yaml with a default value of `grafana-dashboards`. The namespace provided should contain all ConfigMaps with the label `grafana_dashboard` and will be searched by the Grafana Dashboards sidecar for updates. The namespace specified is also created along with this deployment. All default dashboard ConfigMaps have been relocated from the deployment namespace to the namespace specified
 - Added `grafana.sidecar.datasources.searchNamespace` to values.yaml with a default value of `grafana-datasources`. The namespace provided should contain all ConfigMaps with the label `grafana_datasource` and will be searched by the Grafana Datasources sidecar for updates. The namespace specified is also created along with this deployment. All default datasource ConfigMaps have been relocated from the deployment namespace to the namespace specified
-- Added `monitoring-admin`, `monitoring-edit`, and `monitoring-view` default `ClusterRoles` to allow admins to assign roles to users to interact with Prometheus Operator CRs. These can be enabled by setting `.Values.global.rbac.userRoles.create` (default: `true`). In a typical RBAC setup, you might want to assign specific users `monitoring-edit` or `monitoring-view` within a specific namespace to allow them to set up `ServiceMonitors` / `PodMonitors` that only monitor resources within that namespace. If `.Values.global.rbac.userRoles.aggregateRolesForRBAC` is enabled, these ClusterRoles will aggregate into the respective default ClusterRoles provided by Kubernetes
-- Added `grafana-config-edit` and `grafana-config-view` default `ClusterRoles` to allow admins to assign roles to users to interact with Secrets or ConfigMaps utilized by Grafana. These can be enabled by setting `.Values.global.rbac.userRoles.create` (default: `true`). In a typical RBAC setup, you might want to assign the following users with these permissions:
-    - User who needs to be able to persist custom Grafana dashboards from the Grafana UI but does not need to be able to interact with Prometheus CRs: `grafana-config-edit` within the `.Values.grafana.sidecar.dashboards.searchNamespace` (default `grafana-dashboards`) namespace
-    - User who needs to be able to persist new Grafana datasources but does not need to be able to interact with Prometheus CRs: `.Values.grafana.sidecar.datasources.searchNamespace` (default `grafana-datasources`) namespace
+- Added `monitoring-admin`, `monitoring-edit`, and `monitoring-view` default `ClusterRoles` to allow admins to assign roles to users to interact with Prometheus Operator CRs. These can be enabled by setting `.Values.global.rbac.userRoles.create` (default: `true`). In a typical RBAC setup, you might want to use a `ClusterRoleBinding` to bind these roles to a Subject to allow them to set up or view `ServiceMonitors` / `PodMonitors` / `PrometheusRules` and view `Prometheus` or `Alertmanager` CRs across the cluster. If `.Values.global.rbac.userRoles.aggregateRolesForRBAC` is enabled, these ClusterRoles will aggregate into the respective default ClusterRoles provided by Kubernetes
+- Added `monitoring-config-admin`, `monitoring-config-edit` and `monitoring-config-view` default `Roles` to allow admins to assign roles to users to be able to edit / view `Secrets` and `ConfigMaps` within the `cattle-monitoring-system` namespace. These can be enabled by setting `.Values.global.rbac.userRoles.create` (default: `true`). In a typical RBAC setup, you might want to use a `RoleBinding` to bind these roles to a Subject within the `cattle-monitoring-system` namespace to allow them to modify Secrets / ConfigMaps tied to the deployment, such as your Alertmanager Config Secret. 
+- Added `monitoring-dashboard-admin`, `monitoring-dashboard-edit` and `monitoring-dashboard-view` default `Roles` to allow admins to assign roles to users to be able to edit / view `ConfigMaps` within the `grafana-dashboards` namespace. These can be enabled by setting `.Values.global.rbac.userRoles.create` (default: `true`) and deploying Grafana as part of this chart. In a typical RBAC setup, you might want to use a `RoleBinding` to bind these roles to a Subject within the `grafana-dashboards` namespace to allow them to create / modify ConfigMaps that contain the JSON used to persist Grafana Dashboards on the cluster.
 - Added default resource limits for `Prometheus Operator`, `Prometheus`, `AlertManager`, `Grafana`, `kube-state-metrics`, `node-exporter`
 - Added a default template `rancher_defaults.tmpl` to AlertManager that Rancher will offer to users in order to help configure the way alerts are rendered on a notifier. Also updated the default template deployed with this chart to reference that template and added an example of a Slack config using this template as a comment in the `values.yaml`.
 - Added support for private registries via introducing a new field for `global.cattle.systemDefaultRegistry` that, if supplied, will automatically be prepended onto every image used by the chart.

packages/rancher-monitoring/overlay/templates/rancher-monitoring/clusterrole.yaml

@@ -1,5 +1,4 @@
 {{- if and .Values.global.rbac.create .Values.global.rbac.userRoles.create }}
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -31,13 +30,6 @@ rules:
   - podmonitors
   verbs:
   - '*'
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - secrets
-  verbs:
-  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -71,13 +63,6 @@ rules:
   - podmonitors
   verbs:
   - '*'
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - secrets
-  verbs:
-  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
@@ -105,44 +90,4 @@ rules:
   - 'get'
   - 'list'
   - 'watch'
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - secrets
-  verbs:
-  - 'get'
-  - 'list'
-  - 'watch'
-{{- if .Values.grafana.enabled }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: grafana-config-edit
-  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - secrets
-  verbs:
-  - '*'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: grafana-config-view
-  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  - secrets
-  verbs:
-  - 'get'
-  - 'list'
-  - 'watch'
-{{- end }}
 {{- end }}

packages/rancher-monitoring/overlay/templates/rancher-monitoring/config-role.yaml

@@ -0,0 +1,48 @@
+{{- if and .Values.global.rbac.create .Values.global.rbac.userRoles.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: monitoring-config-admin
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: monitoring-config-edit
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: monitoring-config-view
+  namespace: {{ template "kube-prometheus-stack.namespace" . }}
+  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  - secrets
+  verbs:
+  - 'get'
+  - 'list'
+  - 'watch'
+{{- end }}

packages/rancher-monitoring/overlay/templates/rancher-monitoring/dashboard-role.yaml

@@ -0,0 +1,47 @@
+{{- if and .Values.global.rbac.create .Values.global.rbac.userRoles.create .Values.grafana.enabled }}
+{{- if or .Values.grafana.sidecar.dashboards.enabled .Values.grafana.defaultDashboardsEnabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: monitoring-dashboard-admin
+  namespace: {{ .Values.grafana.sidecar.dashboards.searchNamespace }}
+  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: monitoring-dashboard-edit
+  namespace: {{ .Values.grafana.sidecar.dashboards.searchNamespace }}
+  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: monitoring-dashboard-view
+  namespace: {{ .Values.grafana.sidecar.dashboards.searchNamespace }}
+  labels: {{ include "kube-prometheus-stack.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - 'get'
+  - 'list'
+  - 'watch'
+{{- end }}
+{{- end }}