kuberneteskubernetes-helmrbackubernetes-rbac

Allowing helm hooks (jobs) to create k8s resources

I want to run a pre-install helm hook.

This will run a job that will be using custom image whose entrypoint will be executing the following command

kubectl create secret generic my-secret --from-literal=foo=bar

Can this action be permitted via RBAC?

If so, what are the minimal permissions that need to be given to the specific pod / job to carry this task out?

Solution

  • This is possible but maybe not the simplest thing.

    You can use the standard Kubernetes RBAC system to allow this, with a role like

    # templates/pre-install-role.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: {{ include "chart.name" . }}-pre-install
  annotations:
    helm.sh/hook: pre-install
rules:
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["create"]

    However, that Role needs to be attached to something to have an effect, which means you also need to create a ServiceAccount, and a RoleBinding to attach the two together:

    # templates/pre-install-service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "chart.name" . }}-pre-install
  annotations:
    helm.sh/hook: pre-install

    # templates/pre-install-service-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: {{ include "chart.name" . }}-pre-install
  annotations:
    helm.sh/hook: pre-install
subjects:
  - kind: ServiceAccount
    namespace: {{ .Release.Namespace }}
    name: {{ include "chart.name" . }}-pre-install
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: {{ include "chart.name" . }}-pre-install

    And, finally, in your pre-install Job, you need to reference

    serviceAccountName: {{ include "chart.name" . }}-pre-install

    Note that Helm pre-install hooks run, well, before anything else is installed, which means that where we need these auxiliary authorization-related objects to run the hook, they also need to be labeled as pre-install hooks. With the default deletion policy they will stay installed until the chart is uninstalled.

    You may find it simpler to just create the Secret in your Helm chart, if you'll have the required data at deployment time.