Removing accessible namespaces as part of the new discovery selector …

…support. part of: kiali/kiali#7546 part of KEP: https://github.com/kiali/kiali/blob/master/design/KEPS/namespace-discovery/proposal.md
kiali · Aug 3, 2024 · a7d2d3f · a7d2d3f
1 parent 6be2d49
commit a7d2d3f
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 28 deletions.
diff --git a/README.adoc b/README.adoc
@@ -65,7 +65,7 @@ helm uninstall -n kiali-operator kiali-operator
 
 ==== Overriding values
 
-You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "deployment.accessible_namespaces={bookinfo,demo2}"`. You can set individual list items using square brackets: `--set deployment.accessible_namespaces[0]=bookinfo`.
+You can pass `--set` options to the above commands if you wish to override the default values. You can set nested dictionary values using dot notation: `--set deployment.logger.log_level=debug`. For a list of items, comma-separate the values and wrap the list in curly braces: `--set "kubernetes_config.excluded_workloads={CronJob,Job}"`. You can set individual list items using square brackets: `--set kubernetes_config.excluded_workloads[0]=CronJob`.
 
 If you locally built and pushed your Kiali server and Kiali operator images to your cluster, you can have the helm chart installations pull those images by the following settings:
 

diff --git a/kiali-operator/templates/clusterrole.yaml b/kiali-operator/templates/clusterrole.yaml
@@ -113,7 +113,7 @@ rules:
   - list
 - apiGroups: ["rbac.authorization.k8s.io"]
   resources:
-  {{- if or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.clusterRoleCreator) }}
+  {{- if or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.clusterRoleCreator) }}
   - clusterrolebindings
   - clusterroles
   {{- end }}

diff --git a/kiali-operator/templates/deployment.yaml b/kiali-operator/templates/deployment.yaml
@@ -87,9 +87,7 @@ spec:
         - name: ALLOW_SECURITY_CONTEXT_OVERRIDE
           value: {{ .Values.allowSecurityContextOverride | quote }}
         - name: ALLOW_ALL_ACCESSIBLE_NAMESPACES
-          value: {{ or (and (.Values.cr.create) (has "**" .Values.cr.spec.deployment.accessible_namespaces)) (.Values.allowAllAccessibleNamespaces) | quote }}
-        - name: ACCESSIBLE_NAMESPACES_LABEL
-          value: {{ .Values.accessibleNamespacesLabel | quote }}
+          value: {{ or (and (.Values.cr.create) (.Values.cr.spec.deployment.cluster_wide_access)) (.Values.allowAllAccessibleNamespaces) | quote }}
         - name: PROFILE_TASKS_TASK_OUTPUT_LIMIT
           value: "100"
         - name: ANSIBLE_DEBUG_LOGS

diff --git a/kiali-operator/values.yaml b/kiali-operator/values.yaml
@@ -39,9 +39,9 @@ debug:
 watchNamespace: ""
 
 # Set to true if you want the operator to be able to create cluster roles. This is necessary
-# if you want to support Kiali CRs with spec.deployment.accessible_namespaces of '**'.
+# if you want to support Kiali CRs with spec.deployment.cluster_wide_access=true.
 # Setting this to "true" requires allowAllAccessibleNamespaces to be "true" also.
-# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
+# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
 clusterRoleCreator: true
 
 # Set to a list of secrets in the cluster that the operator will be allowed to read. This is necessary if you want to
@@ -83,22 +83,12 @@ allowAdHocOSSMConsoleImage: false
 allowSecurityContextOverride: false
 
 # allowAllAccessibleNamespaces tells the operator to allow a user to be able to configure Kiali
-# to access all namespaces in the cluster via spec.deployment.accessible_namespaces=['**'].
-# If this is false, the user must specify an explicit list of namespaces in the Kiali CR.
+# to access all namespaces in the cluster via spec.deployment.cluster_wide_access=true.
+# If this is false, the user must specify an explicit set of namespaces in the Kiali CR via spec.deployment.discovery_selectors.
 # Setting this to "true" requires clusterRoleCreator to be "true" also.
-# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.accessible_namespaces is ['**'].
+# Note that this will be overriden to "true" if cr.create is true and cr.spec.deployment.cluster_wide_access=true.
 allowAllAccessibleNamespaces: true
 
-# accessibleNamespacesLabel restricts the namespaces that a user can add to the Kiali CR spec.deployment.accessible_namespaces.
-# This value is either an empty string (which disables this feature) or a label name with an optional label value
-# (e.g. "mylabel" or "mylabel=myvalue"). Only namespaces that have that label will be permitted in
-# spec.deployment.accessible_namespaces. Any namespace not labeled properly but specified in accessible_namespaces will cause
-# the operator to abort the Kiali installation.
-# If just a label name (but no label value) is specified, the label value the operator will look for is the value of
-# the Kiali CR's spec.istio_namespace. In other words, the operator will look for the named label whose value must be the name
-# of the Istio control plane namespace (which is typically, but not necessarily, "istio-system").
-accessibleNamespacesLabel: ""
-
 # watchesFile: If specified, this determines what watches file will be used to configure the operator. There are four different
 # files that can be selected: (a) `watches-os.yaml`, (b) `watches-os-ns.yaml`, (c) `watches-k8s.yaml` or (d) `watches-k8s-ns.yaml`.
 # The first two are for OpenShift only, the last two are for non-OpenShift Kubernetes clusters. The two with "-ns" in their name
@@ -107,8 +97,7 @@ accessibleNamespacesLabel: ""
 # the default behavior and is not necessary if your Kiali CRs will have `spec.deployment.cluster_wide_access` set to `true`.
 watchesFile: ""
 
-# For what a Kiali CR spec can look like, see:
-# https://github.com/kiali/kiali-operator/blob/master/deploy/kiali/kiali_cr.yaml
+# For what a Kiali CR spec can look like, see: https://kiali.io/docs/configuration/kialis.kiali.io/
 cr:
   create: false
   name: kiali
@@ -122,5 +111,4 @@ cr:
 
   spec:
     deployment:
-      accessible_namespaces:
-      - '**'
+      cluster_wide_access: true
diff --git a/kiali-server/values.yaml b/kiali-server/values.yaml
@@ -37,15 +37,14 @@ clustering:
   clusters: []
 
 deployment:
-  # This only limits what Kiali will attempt to see, but Kiali Service Account has permissions to see everything.
-  # For more control over what the Kial Service Account can see, use the Kiali Operator
-  accessible_namespaces:
-  - "**"
   additional_service_yaml: {}
   affinity:
     node: {}
     pod: {}
     pod_anti: {}
+  # This server helm chart sets up a Service Account that allows Kiali to see all namespaces in the cluster.
+  # For more control over what the Kial Service Account can see, use the Kiali Operator.
+  cluster_wide_access: true
   configmap_annotations: {}
   custom_secrets: []
   dns: