Skip to content

Commit

Permalink
Removing accessible namespaces as part of the new discovery selector …
Browse files Browse the repository at this point in the history
  • Loading branch information
jmazzitelli committed Aug 3, 2024
1 parent 6be2d49 commit a7d2d3f
Show file tree
Hide file tree
Showing 5 changed files with 13 additions and 28 deletions.
2 changes: 1 addition & 1 deletion README.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ helm uninstall -n kiali-operator kiali-operator

==== Overriding values

You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "deployment.accessible_namespaces={bookinfo,demo2}"`. You can set individual list items using square brackets: `--set deployment.accessible_namespaces[0]=bookinfo`.
You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "kubernetes_config.excluded_workloads={CronJob,Job}"`. You can set individual list items using square brackets: `--set kubernetes_config.excluded_workloads[0]=CronJob`.

If you locally built and pushed your Kiali server and Kiali operator images to your cluster, you can have the helm chart installations pull those images by the following settings:

Expand Down
2 changes: 1 addition & 1 deletion kiali-operator/templates/clusterrole.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ rules:
- list
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
{{- if or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.clusterRoleCreator) }}
{{- if or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.clusterRoleCreator) }}
- clusterrolebindings
- clusterroles
{{- end }}
Expand Down
4 changes: 1 addition & 3 deletions kiali-operator/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,7 @@ spec:
- name: ALLOW_SECURITY_CONTEXT_OVERRIDE
value: {{ .Values.allowSecurityContextOverride | quote }}
- name: ALLOW_ALL_ACCESSIBLE_NAMESPACES
value: {{ or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.allowAllAccessibleNamespaces) | quote }}
- name: ACCESSIBLE_NAMESPACES_LABEL
value: {{ .Values.accessibleNamespacesLabel | quote }}
value: {{ or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.allowAllAccessibleNamespaces) | quote }}
- name: PROFILE_TASKS_TASK_OUTPUT_LIMIT
value: "100"
- name: ANSIBLE_DEBUG_LOGS
Expand Down
26 changes: 7 additions & 19 deletions kiali-operator/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,9 @@ debug:
watchNamespace: ""

# Set to true if you want the operator to be able to create cluster roles. This is necessary
# if you want to support Kiali CRs with spec.deployment.accessible_namespaces of '**'.
# if you want to support Kiali CRs with spec.deployment.cluster_wide_access=true.
# Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also.
# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
clusterRoleCreator: true

# Set to a list of secrets in the cluster that the operator will be allowed to read. This is necessary if you want to
Expand Down Expand Up @@ -83,22 +83,12 @@ allowAdHocOSSMConsoleImage: false
allowSecurityContextOverride: false

# allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali
# to access all namespaces in the cluster via spec.deployment.accessible_namespaces=['**'].
# If this is false, the user must specify an explicit list of namespaces in the Kiali CR.
# to access all namespaces in the cluster via spec.deployment.cluster_wide_access=true.
# If this is false, the user must specify an explicit set of namespaces in the Kiali CR via spec.deployment.discovery_selectors.
# Setting this to "true" requires clusterRoleCreator to be "true" also.
# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
allowAllAccessibleNamespaces: true

# accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces.
# This value is either an empty string (which disables this feature) or a label name with an optional label value
# (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in
# spec.deployment.accessible_namespaces. Any namespace not labeled properly but specified in accessible_namespaces will cause
# the operator to abort the Kiali installation.
# If just a label name (but no label value) is specified, the label value the operator will look for is the value of
# the Kiali CR's spec.istio_namespace. In other words, the operator will look for the named label whose value must be the name
# of the Istio control plane namespace (which is typically, but not necessarily, "istio-system").
accessibleNamespacesLabel: ""

# watchesFile: If specified, this determines what watches file will be used to configure the operator. There are four different
# files that can be selected: (a) `watches-os.yaml`, (b) `watches-os-ns.yaml`, (c) `watches-k8s.yaml` or (d) `watches-k8s-ns.yaml`.
# The first two are for OpenShift only, the last two are for non-OpenShift Kubernetes clusters. The two with "-ns" in their name
Expand All @@ -107,8 +97,7 @@ accessibleNamespacesLabel: ""
# the default behavior and is not necessary if your Kiali CRs will have `spec.deployment.cluster_wide_access` set to `true`.
watchesFile: ""

# For what a Kiali CR spec can look like, see:
# https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml
# For what a Kiali CR spec can look like, see: https://kiali.io/docs/configuration/kialis.kiali.io/
cr:
create: false
name: kiali
Expand All @@ -122,5 +111,4 @@ cr:

spec:
deployment:
accessible_namespaces:
- '**'
cluster_wide_access: true
7 changes: 3 additions & 4 deletions kiali-server/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,15 +37,14 @@ clustering:
clusters: []

deployment:
# This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything.
# For more control over what the Kial Service Account can see, use the Kiali Operator
accessible_namespaces:
- "**"
additional_service_yaml: {}
affinity:
node: {}
pod: {}
pod_anti: {}
# This server helm chart sets up a Service Account that allows Kiali to see all namespaces in the cluster.
# For more control over what the Kial Service Account can see, use the Kiali Operator.
cluster_wide_access: true
configmap_annotations: {}
custom_secrets: []
dns:
Expand Down

0 comments on commit a7d2d3f

Please sign in to comment.