From 93b507872603dd1b4a542f8a9b7f9c9db14c8f35 Mon Sep 17 00:00:00 2001 From: Tom Haynes Date: Tue, 16 Dec 2025 16:27:00 +0000 Subject: [PATCH] allow rbac rolebindings to be disabled --- helm/kagent/templates/rbac/clusterrole.yaml | 2 + .../templates/rbac/clusterrolebinding.yaml | 2 + helm/kagent/tests/rbac_test.yaml | 43 ++++++++++++++++++- helm/kagent/values.yaml | 9 ++++ 4 files changed, 55 insertions(+), 1 deletion(-) diff --git a/helm/kagent/templates/rbac/clusterrole.yaml b/helm/kagent/templates/rbac/clusterrole.yaml index 1841e7e5f..6d919917d 100644 --- a/helm/kagent/templates/rbac/clusterrole.yaml +++ b/helm/kagent/templates/rbac/clusterrole.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.clusterRoleEnabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -169,3 +170,4 @@ rules: - update - patch - delete +{{- end }} diff --git a/helm/kagent/templates/rbac/clusterrolebinding.yaml b/helm/kagent/templates/rbac/clusterrolebinding.yaml index 4da6c9756..60241e39d 100644 --- a/helm/kagent/templates/rbac/clusterrolebinding.yaml +++ b/helm/kagent/templates/rbac/clusterrolebinding.yaml @@ -1,3 +1,4 @@ +{{- if .Values.rbac.clusterRoleEnabled }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -27,3 +28,4 @@ subjects: - kind: ServiceAccount name: {{ include "kagent.fullname" . }}-controller namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/helm/kagent/tests/rbac_test.yaml b/helm/kagent/tests/rbac_test.yaml index 26f3e76ca..194a37784 100644 --- a/helm/kagent/tests/rbac_test.yaml +++ b/helm/kagent/tests/rbac_test.yaml @@ -145,4 +145,45 @@ tests: value: RELEASE-NAME - equal: path: metadata.labels["app.kubernetes.io/managed-by"] - value: Helm \ No newline at end of file + value: Helm + + # Tests for rbac.clusterRoleEnabled switch + - it: should render clusterroles when rbac.clusterRoleEnabled is true (default) + template: rbac/clusterrole.yaml + set: + rbac: + clusterRoleEnabled: true + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ClusterRole + + - it: should not render clusterroles when rbac.clusterRoleEnabled is false + template: rbac/clusterrole.yaml + set: + rbac: + clusterRoleEnabled: false + asserts: + - hasDocuments: + count: 0 + + - it: should render clusterrolebindings when rbac.clusterRoleEnabled is true (default) + template: rbac/clusterrolebinding.yaml + set: + rbac: + clusterRoleEnabled: true + asserts: + - hasDocuments: + count: 2 + - isKind: + of: ClusterRoleBinding + + - it: should not render clusterrolebindings when rbac.clusterRoleEnabled is false + template: rbac/clusterrolebinding.yaml + set: + rbac: + clusterRoleEnabled: false + asserts: + - hasDocuments: + count: 0 \ No newline at end of file diff --git a/helm/kagent/values.yaml b/helm/kagent/values.yaml index 1bb8168e6..407ef3fe5 100644 --- a/helm/kagent/values.yaml +++ b/helm/kagent/values.yaml @@ -36,6 +36,15 @@ securityContext: {} # runAsNonRoot: true # runAsUser: 1000 +# ============================================================================== +# RBAC CONFIGURATION +# ============================================================================== + +rbac: + # -- Whether to create ClusterRole and ClusterRoleBinding resources. + # Set to false if you want to manage RBAC externally or use pre-existing roles. + clusterRoleEnabled: true + # ============================================================================== # CORE KAGENT COMPONENTS # ==============================================================================