feat(helm): configurable RBAC with read-only ClusterRole support (#46)

Signed-off-by: Matteo Mori <matteo.mori@rvu.co.uk>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: MatteoMori8

helm/kagent-tools/templates/clusterrole.yaml

@@ -1,31 +1,95 @@
-{{- if not .Values.useDefaultServiceAccount }}
+{{- if and (not .Values.useDefaultServiceAccount) .Values.rbac.create }}
+{{- if .Values.rbac.readOnly }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kagent.fullname" . }}-cluster-admin-role
+  name: {{ include "kagent.fullname" . }}-read-role
   labels:
     {{- include "kagent.labels" . | nindent 4 }}
 rules:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["*"]
-- nonResourceURLs: ["*"]
-  verbs: ["*"]
----
+  # Core workload resources
+  - apiGroups: [""]
+    resources:
+      - pods
+      - services
+      - endpoints
+      - configmaps
+      - serviceaccounts
+      - persistentvolumeclaims
+      - replicationcontrollers
+      - namespaces
+    verbs: ["get", "list", "watch"]
+
+  # Pod logs (subresource)
+  - apiGroups: [""]
+    resources:
+      - pods/log
+    verbs: ["get", "list"]
+
+  # Events
+  - apiGroups: [""]
+    resources:
+      - events
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["events.k8s.io"]
+    resources:
+      - events
+    verbs: ["get", "list", "watch"]
+
+  # Apps workloads
+  - apiGroups: ["apps"]
+    resources:
+      - deployments
+      - statefulsets
+      - daemonsets
+      - replicasets
+    verbs: ["get", "list", "watch"]
+
+  # Batch workloads
+  - apiGroups: ["batch"]
+    resources:
+      - jobs
+      - cronjobs
+    verbs: ["get", "list", "watch"]
 
+  # Networking
+  - apiGroups: ["networking.k8s.io"]
+    resources:
+      - ingresses
+      - networkpolicies
+    verbs: ["get", "list", "watch"]
+
+  # Autoscaling
+  - apiGroups: ["autoscaling"]
+    resources:
+      - horizontalpodautoscalers
+    verbs: ["get", "list", "watch"]
+
+  {{- if .Values.rbac.allowSecrets }}
+  # Secrets (opt-in)
+  - apiGroups: [""]
+    resources:
+      - secrets
+    verbs: ["get", "list", "watch"]
+  {{- end }}
+
+  {{- with .Values.rbac.additionalRules }}
+  # Additional user-defined rules
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+
+{{- else }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: {{ include "kagent.fullname" . }}-read-role
+  name: {{ include "kagent.fullname" . }}-cluster-admin-role
   labels:
     {{- include "kagent.labels" . | nindent 4 }}
 rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
-  - nonResourceURLs: ["*"]
-    verbs:
-    - get
-    - list
-    - watch
-{{- end }}
+- apiGroups: ["*"]
+  resources: ["*"]
+  verbs: ["*"]
+- nonResourceURLs: ["*"]
+  verbs: ["*"]
+{{- end }}
+{{- end }}

helm/kagent-tools/templates/clusterrolebinding.yaml

@@ -1,46 +1,24 @@
-{{- if not .Values.useDefaultServiceAccount }}
+{{- if and (not .Values.useDefaultServiceAccount) .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
+  {{- if .Values.rbac.readOnly }}
+  name: {{ include "kagent.fullname" . }}-read-rolebinding
+  {{- else }}
   name: {{ include "kagent.fullname" . }}-cluster-admin-rolebinding
+  {{- end }}
   labels:
     {{- include "kagent.labels" . | nindent 4 }}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
+  {{- if .Values.rbac.readOnly }}
+  name: {{ include "kagent.fullname" . }}-read-role
+  {{- else }}
   name: {{ include "kagent.fullname" . }}-cluster-admin-role
+  {{- end }}
 subjects:
 - kind: ServiceAccount
   name: {{ include "kagent.fullname" . }}
   namespace: {{ include "kagent.namespace" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "kagent.fullname" . }}-getter-rolebinding
-  labels:
-    {{- include "kagent.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "kagent.fullname" . }}-getter-role
-subjects:
-- kind: ServiceAccount
-  name: {{ include "kagent.fullname" . }}
-  namespace: {{ include "kagent.namespace" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "kagent.fullname" . }}-writer-rolebinding
-  labels:
-    {{- include "kagent.labels" . | nindent 4 }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ include "kagent.fullname" . }}-writer-role
-subjects:
-- kind: ServiceAccount
-  name: {{ include "kagent.fullname" . }}
-  namespace: {{ include "kagent.namespace" . }}
-{{- end }}
+{{- end }}

helm/kagent-tools/values.yaml

@@ -91,6 +91,25 @@ topologySpreadConstraints: []
 #    topologyKey: topology.kubernetes.io/zone
 #    whenUnsatisfiable: DoNotSchedule
 
+rbac:
+  # When false, no ClusterRole or ClusterRoleBinding are created.
+  # The ServiceAccount is still created allowing you to attach your own roles externally.
+  create: true
+  # When true, deploys a read-only ClusterRole (get, list, watch) instead of cluster-admin.
+  # Pairs well with the --read-only CLI flag which disables write operations at the application layer.
+  # Only applies when rbac.create is true.
+  # Defaults to False as to not introduce breaking changes. Worth revisiting later on.
+  readOnly: false
+  # When readOnly is true, grants read access to Secrets. Default: no access to Secrets.
+  # Ignored when readOnly is false (admin already has full access).
+  allowSecrets: false
+  # Extra rules appended to the read-only ClusterRole.  Useful for granting read access to CRDs (Istio, Cilium, Argo, etc.).
+  # Ignored when readOnly is false (admin already has full access).
+  additionalRules: []
+  #  - apiGroups: ["networking.istio.io"]
+  #    resources: ["virtualservices", "destinationrules", "gateways"]
+  #    verbs: ["get", "list", "watch"]
+
 otel:
   tracing:
     enabled: false