From d17eebd737d0d2fec834f0d2b4ee5b80d53b3596 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Mon, 8 Apr 2024 15:01:39 +0200 Subject: [PATCH 01/13] More secure rbac Signed-off-by: Jirka Kremser --- .gitignore | 8 +++ keda/templates/NOTES.txt | 6 ++ keda/templates/manager/clusterrole.yaml | 69 ++++++++----------- .../templates/manager/clusterrolebinding.yaml | 21 ------ .../manager/clusterrolebindings.yaml | 49 +++++++++++++ keda/templates/manager/deployment.yaml | 2 +- keda/templates/manager/role.yaml | 47 +++++++++---- keda/templates/manager/rolebinding.yaml | 22 ------ .../{ => manager}/serviceaccount.yaml | 14 ++-- .../metrics-server/clusterrolebinding.yaml | 10 +-- keda/templates/metrics-server/deployment.yaml | 2 +- .../metrics-server/serviceaccount.yaml | 49 +++++++++++++ keda/templates/webhooks/clusterrole.yaml | 61 ++++++++++++++++ .../webhooks/clusterrolebindings.yaml | 49 +++++++++++++ keda/templates/webhooks/deployment.yaml | 2 +- keda/templates/webhooks/serviceaccount.yaml | 21 ++++++ keda/values.yaml | 51 +++++++++++--- 17 files changed, 364 insertions(+), 119 deletions(-) create mode 100644 .gitignore delete mode 100644 keda/templates/manager/clusterrolebinding.yaml create mode 100644 keda/templates/manager/clusterrolebindings.yaml delete mode 100644 keda/templates/manager/rolebinding.yaml rename keda/templates/{ => manager}/serviceaccount.yaml (69%) create mode 100644 keda/templates/metrics-server/serviceaccount.yaml create mode 100644 keda/templates/webhooks/clusterrole.yaml create mode 100644 keda/templates/webhooks/clusterrolebindings.yaml create mode 100644 keda/templates/webhooks/serviceaccount.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..a7b80e1e --- /dev/null +++ b/.gitignore @@ -0,0 +1,8 @@ +# IDE specific files +.vscode +.idea +*.swp +*.swo + +# Mac +.DS_Store diff --git a/keda/templates/NOTES.txt b/keda/templates/NOTES.txt index f143cb2f..047b6356 100644 --- a/keda/templates/NOTES.txt +++ b/keda/templates/NOTES.txt @@ -59,6 +59,12 @@ WARNING - Running on unsupported Kubernetes version "1.{{.Capabilities.KubeVersi ------------------------------------------------------------------------------------- {{- end }} +{{- if .Values.serviceAccount.name }} +------------------------------------------------------------------------------------- +WARNING - .serviceAccount.name has been deprecated, please migrate to newest version of the Helm Chart values +------------------------------------------------------------------------------------- +{{- end }} + Learn more about KEDA: - Documentation: https://keda.sh/ - Support: https://keda.sh/support/ diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml index 673a5e63..90875428 100644 --- a/keda/templates/manager/clusterrole.yaml +++ b/keda/templates/manager/clusterrole.yaml @@ -16,6 +16,10 @@ rules: resources: - configmaps - configmaps/status + - limitranges + - pods + - services + - serviceaccounts verbs: - get - list @@ -26,50 +30,49 @@ rules: - events verbs: - '*' +{{- if not .Values.permissions.operator.restrict.secret }} - apiGroups: - "" - resources: - - external - - pods - {{- if eq .Values.permissions.operator.restrict.secret false }} + resources: - secrets - {{- end }} - - services verbs: - get - list - watch -- apiGroups: - - "" - resources: - - limitranges - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - serviceaccounts - verbs: - - list - - watch + {{- with .Values.permissions.operator.restrict.namesAllowList }} + resourceNames: {{ toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if .Values.rbac.enabledCustomScaledRefKinds }} +{{- if not .Values.rbac.scaledRefKinds }} - apiGroups: - '*' resources: - - '*' + - '*/scale' verbs: - get + - list + - patch + - update + - watch +{{- else }} + {{- range .Values.rbac.scaledRefKinds }} - apiGroups: - - '*' + - {{ .apiGroup | quote }} resources: - - '*/scale' + - {{ .kind | quote }} + - {{ printf "%s/scale" .kind | quote }} verbs: - get - list - patch - update - watch - {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} + {{- end }} +{{- end }} +{{- end }} +{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} - apiGroups: - admissionregistration.k8s.io resources: @@ -90,13 +93,14 @@ rules: - patch - update - watch - {{- end }} +{{- end }} - apiGroups: - apps resources: - deployments - statefulsets verbs: + - get - list - watch - apiGroups: @@ -123,27 +127,12 @@ rules: resources: - clustertriggerauthentications - clustertriggerauthentications/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - scaledjobs - scaledjobs/finalizers - scaledjobs/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - scaledobjects - scaledobjects/finalizers - scaledobjects/status - verbs: - - '*' -- apiGroups: - - keda.sh - resources: - triggerauthentications - triggerauthentications/status verbs: diff --git a/keda/templates/manager/clusterrolebinding.yaml b/keda/templates/manager/clusterrolebinding.yaml deleted file mode 100644 index 5d13f80a..00000000 --- a/keda/templates/manager/clusterrolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Values.operator.name }} -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/keda/templates/manager/clusterrolebindings.yaml b/keda/templates/manager/clusterrolebindings.yaml new file mode 100644 index 00000000..fa83bcec --- /dev/null +++ b/keda/templates/manager/clusterrolebindings.yaml @@ -0,0 +1,49 @@ +{{- if .Values.rbac.create }} +{{- if not .Values.watchNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }} + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- else }} + {{- range ( split "," .Values.watchNamespace ) }} +--- +# Role binding for namespace '{{ . }}' +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with $.Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ $.Values.operator.name }} + {{- include "keda.labels" $ | indent 4 }} + name: {{ $.Values.operator.name }} + namespace: {{ . | trim }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.operator.name }} +subjects: +- kind: ServiceAccount + name: {{ ($.Values.serviceAccount.operator).name | default $.Values.serviceAccount.name }} + namespace: {{ $.Release.Namespace }} +--- + {{- end }} +{{- end }} +{{- end }} diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml index 72117787..dbdb1849 100644 --- a/keda/templates/manager/deployment.yaml +++ b/keda/templates/manager/deployment.yaml @@ -55,7 +55,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} + serviceAccountName: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} automountServiceAccountToken: true securityContext: {{- if .Values.podSecurityContext.operator }} diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml index 11339be0..f1bcc4ff 100644 --- a/keda/templates/manager/role.yaml +++ b/keda/templates/manager/role.yaml @@ -7,9 +7,9 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - app.kubernetes.io/name: {{ .Values.operator.name }} + app.kubernetes.io/name: {{ .Values.operator.name }}-certs {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} + name: {{ .Values.operator.name }}-certs namespace: {{ .Release.Namespace }} rules: - apiGroups: @@ -18,20 +18,41 @@ rules: - leases verbs: - '*' -{{- if or (and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled)) (.Values.permissions.operator.restrict.secret) }} +{{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} - apiGroups: - "" resources: - secrets verbs: - {{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} - - create - - delete - - patch - - update + - 'get' + resourceNames: + - {{ .Values.certificates.secretName | quote }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - 'create' +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} {{- end }} - - watch - - get - - list -{{- end -}} -{{- end -}} \ No newline at end of file + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-certs + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-certs + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.operator.name }}-certs +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/keda/templates/manager/rolebinding.yaml b/keda/templates/manager/rolebinding.yaml deleted file mode 100644 index 1c2303a3..00000000 --- a/keda/templates/manager/rolebinding.yaml +++ /dev/null @@ -1,22 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }} - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }} - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Values.operator.name }} -subjects: -- kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/keda/templates/serviceaccount.yaml b/keda/templates/manager/serviceaccount.yaml similarity index 69% rename from keda/templates/serviceaccount.yaml rename to keda/templates/manager/serviceaccount.yaml index d93d1b7e..967b517a 100644 --- a/keda/templates/serviceaccount.yaml +++ b/keda/templates/manager/serviceaccount.yaml @@ -1,14 +1,14 @@ -{{- if .Values.serviceAccount.create -}} +{{- if (.Values.serviceAccount.operator).create | default .Values.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount metadata: labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + app.kubernetes.io/name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} {{- if .Values.podIdentity.azureWorkload.enabled }} azure.workload.identity/use: "true" {{- end }} {{- include "keda.labels" . | nindent 4 }} - {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled .Values.serviceAccount.annotations .Values.podIdentity.gcp.enabled }} + {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled ((.Values.serviceAccount.operator).annotations | default .Values.serviceAccount.annotations) .Values.podIdentity.gcp.enabled }} annotations: {{- if .Values.additionalAnnotations }} {{- toYaml .Values.additionalAnnotations | nindent 4 }} @@ -39,11 +39,11 @@ metadata: iam.gke.io/gcp-service-account: {{ .Values.podIdentity.gcp.gcpIAMServiceAccount }} {{- end }} {{- end }} - {{- if .Values.serviceAccount.annotations }} - {{- toYaml .Values.serviceAccount.annotations | nindent 4}} + {{- if (.Values.serviceAccount.operator).annotations | default .Values.serviceAccount.annotations }} + {{- toYaml (.Values.serviceAccount.operator).annotations | default .Values.serviceAccount.annotations | nindent 4}} {{- end }} {{- end }} - name: {{ .Values.serviceAccount.name }} + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} -automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +automountServiceAccountToken: {{ (.Values.serviceAccount.operator).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} {{- end -}} diff --git a/keda/templates/metrics-server/clusterrolebinding.yaml b/keda/templates/metrics-server/clusterrolebinding.yaml index af00d424..41ee911d 100644 --- a/keda/templates/metrics-server/clusterrolebinding.yaml +++ b/keda/templates/metrics-server/clusterrolebinding.yaml @@ -16,9 +16,10 @@ roleRef: name: system:auth-delegator subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} + name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} --- +# https://kubernetes.io/docs/tasks/extend-kubernetes/configure-aggregation-layer/#extension-apiserver-authenticates-the-request apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -37,9 +38,10 @@ roleRef: name: extension-apiserver-authentication-reader subjects: - kind: ServiceAccount - name: {{ .Values.serviceAccount.name }} + name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} --- +# todo this apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -57,6 +59,6 @@ roleRef: name: {{ .Values.operator.name }}-external-metrics-reader subjects: - kind: ServiceAccount - name: horizontal-pod-autoscaler - namespace: kube-system + name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} {{- end -}} diff --git a/keda/templates/metrics-server/deployment.yaml b/keda/templates/metrics-server/deployment.yaml index 16829cc6..38fef6bc 100644 --- a/keda/templates/metrics-server/deployment.yaml +++ b/keda/templates/metrics-server/deployment.yaml @@ -57,7 +57,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} + serviceAccountName: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} automountServiceAccountToken: true securityContext: {{- if .Values.podSecurityContext.metricServer }} diff --git a/keda/templates/metrics-server/serviceaccount.yaml b/keda/templates/metrics-server/serviceaccount.yaml new file mode 100644 index 00000000..724d6227 --- /dev/null +++ b/keda/templates/metrics-server/serviceaccount.yaml @@ -0,0 +1,49 @@ +{{- if (.Values.serviceAccount.metricServer).create | default .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + {{- include "keda.labels" . | nindent 4 }} + {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled ((.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations) .Values.podIdentity.gcp.enabled }} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + {{- if .Values.podIdentity.azureWorkload.clientId }} + azure.workload.identity/client-id: {{ .Values.podIdentity.azureWorkload.clientId | quote }} + {{- end }} + {{- if .Values.podIdentity.azureWorkload.tenantId }} + azure.workload.identity/tenant-id: {{ .Values.podIdentity.azureWorkload.tenantId | quote }} + {{- end }} + azure.workload.identity/service-account-token-expiration: {{ .Values.podIdentity.azureWorkload.tokenExpiration | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.enabled }} + {{- if .Values.podIdentity.aws.irsa.audience }} + eks.amazonaws.com/audience: {{ .Values.podIdentity.aws.irsa.audience | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.roleArn }} + eks.amazonaws.com/role-arn: {{ .Values.podIdentity.aws.irsa.roleArn | quote }} + {{- end }} + {{- if .Values.podIdentity.aws.irsa.stsRegionalEndpoints }} + eks.amazonaws.com/sts-regional-endpoints: {{ .Values.podIdentity.aws.irsa.stsRegionalEndpoints | quote }} + {{- end }} + eks.amazonaws.com/token-expiration: {{ .Values.podIdentity.aws.irsa.tokenExpiration | quote }} + {{- end }} + {{- if .Values.podIdentity.gcp.enabled }} + {{- if .Values.podIdentity.gcp.gcpIAMServiceAccount }} + iam.gke.io/gcp-service-account: {{ .Values.podIdentity.gcp.gcpIAMServiceAccount }} + {{- end }} + {{- end }} + {{- if (.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations }} + {{- toYaml (.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations | nindent 4}} + {{- end }} + {{- end }} + name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ (.Values.serviceAccount.metricServer).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/keda/templates/webhooks/clusterrole.yaml b/keda/templates/webhooks/clusterrole.yaml new file mode 100644 index 00000000..65fd0c42 --- /dev/null +++ b/keda/templates/webhooks/clusterrole.yaml @@ -0,0 +1,61 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-webhook + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-webhook +rules: +- apiGroups: + - autoscaling + resources: + - horizontalpodautoscalers + verbs: + - list +- apiGroups: + - keda.sh + resources: + - scaledobjects + verbs: + - list +- apiGroups: + - apps + resources: + - deployments + - statefulsets + verbs: + - get +- apiGroups: + - "" + resources: + - limitranges + verbs: + - list +{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch +{{- end }} +{{- end -}} diff --git a/keda/templates/webhooks/clusterrolebindings.yaml b/keda/templates/webhooks/clusterrolebindings.yaml new file mode 100644 index 00000000..a10c2cc1 --- /dev/null +++ b/keda/templates/webhooks/clusterrolebindings.yaml @@ -0,0 +1,49 @@ +{{- if .Values.rbac.create }} +{{- if not .Values.watchNamespace }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-webhook + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }}-webhook +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- else }} + {{- range ( split "," .Values.watchNamespace ) }} +--- +# Role binding for namespace '{{ . }}' +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with $.Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ $.Values.operator.name }} + {{- include "keda.labels" $ | indent 4 }} + name: {{ $.Values.operator.name }} + namespace: {{ . | trim }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.operator.name }}-webhook +subjects: +- kind: ServiceAccount + name: {{ ($.Values.serviceAccount.webhooks).name | default $.Values.serviceAccount.name }} + namespace: {{ $.Release.Namespace }} +--- + {{- end }} +{{- end }} +{{- end }} diff --git a/keda/templates/webhooks/deployment.yaml b/keda/templates/webhooks/deployment.yaml index 17f77bb9..fc8fe370 100644 --- a/keda/templates/webhooks/deployment.yaml +++ b/keda/templates/webhooks/deployment.yaml @@ -50,7 +50,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ .Values.serviceAccount.name }} + serviceAccountName: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} automountServiceAccountToken: true securityContext: {{- if .Values.podSecurityContext.webhooks }} diff --git a/keda/templates/webhooks/serviceaccount.yaml b/keda/templates/webhooks/serviceaccount.yaml new file mode 100644 index 00000000..29012aeb --- /dev/null +++ b/keda/templates/webhooks/serviceaccount.yaml @@ -0,0 +1,21 @@ +{{- if (.Values.serviceAccount.webhooks).create | default .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} + {{- if .Values.podIdentity.azureWorkload.enabled }} + azure.workload.identity/use: "true" + {{- end }} + {{- include "keda.labels" . | nindent 4 }} + annotations: + {{- if .Values.additionalAnnotations }} + {{- toYaml .Values.additionalAnnotations | nindent 4 }} + {{- end }} + {{- if (.Values.serviceAccount.webhooks).annotations | default .Values.serviceAccount.annotations }} + {{- toYaml (.Values.serviceAccount.webhooks).annotations | default .Values.serviceAccount.annotations | nindent 4}} + {{- end }} + name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ (.Values.serviceAccount.webhooks).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} +{{- end -}} diff --git a/keda/values.yaml b/keda/values.yaml index 0dff0ade..174e7549 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -275,16 +275,44 @@ rbac: # -- Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) aggregateToDefaultRoles: false + # -- Whether rbac for unseen crds that can have a scale subresource should be created + enabledCustomScaledRefKinds: true + # -- List of custom resources that support the scale subresource that can be referenced by `scaledobject.spec.scaleTargetRef` + # the feature needs to be also enabled by `enabledCustomScaledRefKinds` + # If left empty, rbac for `apiGroups: *` & `resources: */scale` will be created + # note: Deployments and StatefulSets are supported out of the box + scaledRefKinds: + # - apiGroup: argoproj.io + # kind: Rollout + serviceAccount: - # -- Specifies whether a service account should be created - create: true - # -- The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: keda-operator - # -- Specifies whether a service account should automount API-Credentials - automountServiceAccountToken: true - # -- Annotations to add to the service account - annotations: {} + operator: + # -- Specifies whether a service account should be created + create: true + # -- The name of the service account to use. + name: keda-operator + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account + annotations: {} + metricServer: + # -- Specifies whether a service account should be created + create: true + # -- The name of the service account to use. + name: keda-metrics-server + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account + annotations: {} + webhooks: + # -- Specifies whether a service account should be created + create: true + # -- The name of the service account to use. + name: keda-webhook + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account + annotations: {} podIdentity: activeDirectory: @@ -797,7 +825,12 @@ permissions: operator: restrict: # -- Restrict Secret Access for KEDA operator + # if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace secret: false + # -- Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account + # also the configured `watchNamespace`. + # the default is an empty array -> no restriction on the secret name + namesAllowList: [] # -- Array of extra K8s manifests to deploy extraObjects: [] From c718b765fdcaa4977f956e0c9fcef0ba180318e8 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Tue, 9 Apr 2024 17:01:22 +0200 Subject: [PATCH 02/13] rbac: Add back some necessary rights Signed-off-by: Jirka Kremser --- keda/templates/manager/clusterrole.yaml | 29 +---- keda/templates/manager/deployment.yaml | 3 + keda/templates/manager/minimal-rbac.yaml | 119 ++++++++++++++++++ keda/templates/manager/role.yaml | 58 --------- keda/templates/webhooks/clusterrole.yaml | 4 + .../webhooks/clusterrolebindings.yaml | 28 ----- keda/values.yaml | 2 + 7 files changed, 134 insertions(+), 109 deletions(-) create mode 100644 keda/templates/manager/minimal-rbac.yaml delete mode 100644 keda/templates/manager/role.yaml diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml index 90875428..9619ad6e 100644 --- a/keda/templates/manager/clusterrole.yaml +++ b/keda/templates/manager/clusterrole.yaml @@ -36,10 +36,15 @@ rules: resources: - secrets verbs: - - get - list - watch {{- with .Values.permissions.operator.restrict.namesAllowList }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - get resourceNames: {{ toYaml . | nindent 4 }} {{- end }} {{- end }} @@ -72,28 +77,6 @@ rules: {{- end }} {{- end }} {{- end }} -{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - patch - - update - - watch -{{- end }} - apiGroups: - apps resources: diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml index dbdb1849..52771cda 100644 --- a/keda/templates/manager/deployment.yaml +++ b/keda/templates/manager/deployment.yaml @@ -85,6 +85,9 @@ spec: - "--zap-log-level={{ .Values.logging.operator.level }}" - "--zap-encoder={{ .Values.logging.operator.format }}" - "--zap-time-encoding={{ .Values.logging.operator.timeEncoding }}" + {{- if .Values.logging.operator.stackTracesEnabled }} + - "--zap-stacktrace-level=error" + {{- end }} - "--cert-dir={{ .Values.certificates.mountPath }}" - "--enable-cert-rotation={{ and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }}" - "--cert-secret-name={{ .Values.certificates.secretName }}" diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml new file mode 100644 index 00000000..d96f849f --- /dev/null +++ b/keda/templates/manager/minimal-rbac.yaml @@ -0,0 +1,119 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-certs + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-certs + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - '*' +{{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - 'get' + resourceNames: + - {{ .Values.certificates.secretName | quote }} +- apiGroups: + - "" + resources: + - secrets + verbs: + - 'create' +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-certs + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-certs + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Values.operator.name }}-certs +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-minimal-cluster-role + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-minimal-cluster-role +rules: +- apiGroups: + - keda.sh + resources: + - clustertriggerauthentications + verbs: + - '*' +{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} +- apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiregistration.k8s.io + resources: + - apiservices + verbs: + - get + - list + - patch + - update + - watch +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + {{- with .Values.additionalAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + app.kubernetes.io/name: {{ .Values.operator.name }}-minimal + {{- include "keda.labels" . | indent 4 }} + name: {{ .Values.operator.name }}-minimal +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Values.operator.name }}-minimal-cluster-role +subjects: +- kind: ServiceAccount + name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/keda/templates/manager/role.yaml b/keda/templates/manager/role.yaml deleted file mode 100644 index f1bcc4ff..00000000 --- a/keda/templates/manager/role.yaml +++ /dev/null @@ -1,58 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-certs - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-certs - namespace: {{ .Release.Namespace }} -rules: -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - '*' -{{- if and .Values.certificates.autoGenerated (not .Values.certificates.certManager.enabled) }} -- apiGroups: - - "" - resources: - - secrets - verbs: - - 'get' - resourceNames: - - {{ .Values.certificates.secretName | quote }} -- apiGroups: - - "" - resources: - - secrets - verbs: - - 'create' -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with .Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ .Values.operator.name }}-certs - {{- include "keda.labels" . | indent 4 }} - name: {{ .Values.operator.name }}-certs - namespace: {{ .Release.Namespace }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ .Values.operator.name }}-certs -subjects: -- kind: ServiceAccount - name: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/keda/templates/webhooks/clusterrole.yaml b/keda/templates/webhooks/clusterrole.yaml index 65fd0c42..26a091b9 100644 --- a/keda/templates/webhooks/clusterrole.yaml +++ b/keda/templates/webhooks/clusterrole.yaml @@ -17,12 +17,14 @@ rules: - horizontalpodautoscalers verbs: - list + - watch - apiGroups: - keda.sh resources: - scaledobjects verbs: - list + - watch - apiGroups: - apps resources: @@ -30,6 +32,8 @@ rules: - statefulsets verbs: - get + - list + - watch - apiGroups: - "" resources: diff --git a/keda/templates/webhooks/clusterrolebindings.yaml b/keda/templates/webhooks/clusterrolebindings.yaml index a10c2cc1..4c30a94a 100644 --- a/keda/templates/webhooks/clusterrolebindings.yaml +++ b/keda/templates/webhooks/clusterrolebindings.yaml @@ -1,5 +1,4 @@ {{- if .Values.rbac.create }} -{{- if not .Values.watchNamespace }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -19,31 +18,4 @@ subjects: - kind: ServiceAccount name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} -{{- else }} - {{- range ( split "," .Values.watchNamespace ) }} ---- -# Role binding for namespace '{{ . }}' -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - {{- with $.Values.additionalAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - labels: - app.kubernetes.io/name: {{ $.Values.operator.name }} - {{- include "keda.labels" $ | indent 4 }} - name: {{ $.Values.operator.name }} - namespace: {{ . | trim }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ $.Values.operator.name }}-webhook -subjects: -- kind: ServiceAccount - name: {{ ($.Values.serviceAccount.webhooks).name | default $.Values.serviceAccount.name }} - namespace: {{ $.Release.Namespace }} ---- - {{- end }} -{{- end }} {{- end }} diff --git a/keda/values.yaml b/keda/values.yaml index a2a38249..b9e377b6 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -382,6 +382,8 @@ logging: # -- Logging time encoding for KEDA Operator. # allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` timeEncoding: rfc3339 + # -- If enabled, the stack traces will be also printed + stackTracesEnabled: false metricServer: # -- Logging level for Metrics Server. # allowed values: `0` for info, `4` for debug, or an integer value greater than 0, specified as string From 8972cfc32587dd18820e54d29ecc0394b0a9bde8 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Tue, 9 Apr 2024 17:01:22 +0200 Subject: [PATCH 03/13] rbac: Add back some necessary rights Signed-off-by: Jirka Kremser --- keda/templates/manager/minimal-rbac.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml index d96f849f..21af3eae 100644 --- a/keda/templates/manager/minimal-rbac.yaml +++ b/keda/templates/manager/minimal-rbac.yaml @@ -24,7 +24,7 @@ rules: resources: - secrets verbs: - - 'get' + - get resourceNames: - {{ .Values.certificates.secretName | quote }} - apiGroups: @@ -32,7 +32,8 @@ rules: resources: - secrets verbs: - - 'create' + - create + - update {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 From 5c367b807c5e4f8120b2d26d8c8a121f507cda72 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Wed, 10 Apr 2024 16:45:15 +0200 Subject: [PATCH 04/13] Fix a typo and display better msg in notes Signed-off-by: Jirka Kremser --- keda/templates/NOTES.txt | 2 +- keda/templates/manager/clusterrole.yaml | 19 +++++++++---------- .../manager/poddisruptionbudget.yaml | 2 +- .../webhooks/poddisruptionbudget.yaml | 2 +- 4 files changed, 12 insertions(+), 13 deletions(-) diff --git a/keda/templates/NOTES.txt b/keda/templates/NOTES.txt index 047b6356..ff3957d4 100644 --- a/keda/templates/NOTES.txt +++ b/keda/templates/NOTES.txt @@ -61,7 +61,7 @@ WARNING - Running on unsupported Kubernetes version "1.{{.Capabilities.KubeVersi {{- if .Values.serviceAccount.name }} ------------------------------------------------------------------------------------- -WARNING - .serviceAccount.name has been deprecated, please migrate to newest version of the Helm Chart values +WARNING - .serviceAccount.name has been deprecated, please migrate to newest version of the Helm Chart values that allows overriding the service account name for each KEDA component ------------------------------------------------------------------------------------- {{- end }} diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml index 9619ad6e..550a5749 100644 --- a/keda/templates/manager/clusterrole.yaml +++ b/keda/templates/manager/clusterrole.yaml @@ -56,12 +56,15 @@ rules: resources: - '*/scale' verbs: - - get - - list - - patch - - update - - watch + - '*' {{- else }} +- apiGroups: + - apps + resources: + - deployments/scale + - statefulsets/scale + verbs: + - '*' {{- range .Values.rbac.scaledRefKinds }} - apiGroups: - {{ .apiGroup | quote }} @@ -69,11 +72,7 @@ rules: - {{ .kind | quote }} - {{ printf "%s/scale" .kind | quote }} verbs: - - get - - list - - patch - - update - - watch + - '*' {{- end }} {{- end }} {{- end }} diff --git a/keda/templates/manager/poddisruptionbudget.yaml b/keda/templates/manager/poddisruptionbudget.yaml index 4d087c63..dc423b8b 100644 --- a/keda/templates/manager/poddisruptionbudget.yaml +++ b/keda/templates/manager/poddisruptionbudget.yaml @@ -9,7 +9,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + app.kubernetes.io/name: {{ .Values.operator.name }} {{- include "keda.labels" . | indent 4 }} spec: {{- if .Values.podDisruptionBudget.minAvailable }} diff --git a/keda/templates/webhooks/poddisruptionbudget.yaml b/keda/templates/webhooks/poddisruptionbudget.yaml index 3e43c2a7..6fb22538 100644 --- a/keda/templates/webhooks/poddisruptionbudget.yaml +++ b/keda/templates/webhooks/poddisruptionbudget.yaml @@ -10,7 +10,7 @@ metadata: {{- toYaml . | nindent 4 }} {{- end }} labels: - app.kubernetes.io/name: {{ .Values.serviceAccount.name }} + app.kubernetes.io/name: {{ .Values.webhooks.name }} {{- include "keda.labels" . | indent 4 }} spec: {{- if .Values.podDisruptionBudget.minAvailable }} From 68ef2ae5d4c97e6f401bfea609ea8a7ae06f6e2a Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Thu, 11 Apr 2024 16:31:10 +0200 Subject: [PATCH 05/13] helm-docs Signed-off-by: Jirka Kremser --- keda/README.md | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/keda/README.md b/keda/README.md index 342cc0e0..c360e041 100644 --- a/keda/README.md +++ b/keda/README.md @@ -21,7 +21,7 @@ helm repo add kedacore https://kedacore.github.io/charts helm repo update kubectl create namespace keda -helm install keda kedacore/keda --namespace keda --version 2.13.0 +helm install keda kedacore/keda --namespace keda --version 2.13.1 ``` ## Introduction @@ -36,7 +36,7 @@ To install the chart with the release name `keda`: ```console $ kubectl create namespace keda -$ helm install keda kedacore/keda --namespace keda --version 2.13.0 +$ helm install keda kedacore/keda --namespace keda --version 2.13.1 ``` ## Uninstalling the Chart @@ -111,11 +111,9 @@ their default values. | `priorityClassName` | string | `""` | priorityClassName for all KEDA components | | `rbac.aggregateToDefaultRoles` | bool | `false` | Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) | | `rbac.create` | bool | `true` | Specifies whether RBAC should be used | +| `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether rbac for unseen crds that can have a scale subresource should be created | +| `rbac.scaledRefKinds` | string | `nil` | List of custom resources that support the scale subresource that can be referenced by `scaledobject.spec.scaleTargetRef` the feature needs to be also enabled by `enabledCustomScaledRefKinds` If left empty, rbac for `apiGroups: *` & `resources: */scale` will be created note: Deployments and StatefulSets are supported out of the box | | `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | -| `serviceAccount.annotations` | object | `{}` | Annotations to add to the service account | -| `serviceAccount.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | -| `serviceAccount.create` | bool | `true` | Specifies whether a service account should be created | -| `serviceAccount.name` | string | `"keda-operator"` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | | `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | | `watchNamespace` | string | `""` | Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces | @@ -129,6 +127,7 @@ their default values. | `image.keda.tag` | string | `""` | Image tag of KEDA operator. Optional, given app version of Helm chart is used by default | | `logging.operator.format` | string | `"console"` | Logging format for KEDA Operator. allowed values: `json` or `console` | | `logging.operator.level` | string | `"info"` | Logging level for KEDA Operator. allowed values: `debug`, `info`, `error`, or an integer value greater than 0, specified as string | +| `logging.operator.stackTracesEnabled` | bool | `false` | If enabled, the stack traces will be also printed | | `logging.operator.timeEncoding` | string | `"rfc3339"` | Logging time encoding for KEDA Operator. allowed values are `epoch`, `millis`, `nano`, `iso8601`, `rfc3339` or `rfc3339nano` | | `operator.affinity` | object | `{}` | [Affinity] for pod scheduling for KEDA operator. Takes precedence over the `affinity` field | | `operator.disableCompression` | bool | `true` | Disable response compression for k8s restAPI in client-go. Disabling compression simply means that turns off the process of making data smaller for K8s restAPI in client-go for faster transmission. | @@ -139,13 +138,18 @@ their default values. | `operator.readinessProbe` | object | `{"failureThreshold":3,"initialDelaySeconds":20,"periodSeconds":3,"successThreshold":1,"timeoutSeconds":1}` | Readiness probes for operator ([docs](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)) | | `operator.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA operator. While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). | | `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | -| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator | +| `permissions.operator.restrict.namesAllowList` | list | `[]` | Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account also the configured `watchNamespace`. the default is an empty array -> no restriction on the secret name | +| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace | | `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator | | `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] | | `podLabels.keda` | object | `{}` | Pod labels for KEDA operator | | `podSecurityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA operator pod | | `resources.operator` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA operator pod | | `securityContext.operator` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the operator container | +| `serviceAccount.operator.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.operator.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | +| `serviceAccount.operator.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.operator.name` | string | `"keda-operator"` | The name of the service account to use. | | `topologySpreadConstraints.operator` | list | `[]` | [Pod Topology Constraints] of KEDA operator pod | | `upgradeStrategy.operator` | object | `{}` | Capability to configure [Deployment upgrade strategy] for operator | | `volumes.keda.extraVolumeMounts` | list | `[]` | Extra volume mounts for KEDA deployment | @@ -180,6 +184,10 @@ their default values. | `service.portHttps` | int | `443` | HTTPS port for KEDA Metric Server service | | `service.portHttpsTarget` | int | `6443` | HTTPS port for KEDA Metric Server container | | `service.type` | string | `"ClusterIP"` | KEDA Metric Server service type | +| `serviceAccount.metricServer.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.metricServer.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | +| `serviceAccount.metricServer.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.metricServer.name` | string | `"keda-metrics-server"` | The name of the service account to use. | | `topologySpreadConstraints.metricsServer` | list | `[]` | [Pod Topology Constraints] of KEDA metrics apiserver pod | | `upgradeStrategy.metricsApiServer` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Metrics Api Server | | `volumes.metricsApiServer.extraVolumeMounts` | list | `[]` | Extra volume mounts for metric server deployment | @@ -288,8 +296,12 @@ their default values. | `podDisruptionBudget.webhooks` | object | `{}` | Capability to configure [Pod Disruption Budget] | | `podLabels.webhooks` | object | `{}` | Pod labels for KEDA Admission webhooks | | `podSecurityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Pod security context] of the KEDA admission webhooks | -| `resources.webhooks` | object | `{"limits":{"cpu":"50m","memory":"100Mi"},"requests":{"cpu":"10m","memory":"10Mi"}}` | Manage [resource request & limits] of KEDA admission webhooks pod | +| `resources.webhooks` | object | `{"limits":{"cpu":1,"memory":"1000Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}` | Manage [resource request & limits] of KEDA admission webhooks pod | | `securityContext.webhooks` | object | [See below](#KEDA-is-secure-by-default) | [Security context] of the admission webhooks container | +| `serviceAccount.webhooks.annotations` | object | `{}` | Annotations to add to the service account | +| `serviceAccount.webhooks.automountServiceAccountToken` | bool | `true` | Specifies whether a service account should automount API-Credentials | +| `serviceAccount.webhooks.create` | bool | `true` | Specifies whether a service account should be created | +| `serviceAccount.webhooks.name` | string | `"keda-webhook"` | The name of the service account to use. | | `topologySpreadConstraints.webhooks` | list | `[]` | [Pod Topology Constraints] of KEDA admission webhooks pod | | `upgradeStrategy.webhooks` | object | `{}` | Capability to configure [Deployment upgrade strategy] for Admission webhooks | | `volumes.webhooks.extraVolumeMounts` | list | `[]` | Extra volume mounts for admission webhooks deployment | From 9169fc2188dd832998782ae2b9354cf7b0aee884 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Fri, 12 Apr 2024 10:54:03 +0200 Subject: [PATCH 06/13] review Signed-off-by: Jirka Kremser --- keda/templates/manager/clusterrole.yaml | 20 ++++++++--- keda/templates/manager/minimal-rbac.yaml | 1 + .../metrics-server/clusterrolebinding.yaml | 4 +-- .../metrics-server/serviceaccount.yaml | 33 +------------------ keda/templates/webhooks/clusterrole.yaml | 22 ------------- keda/templates/webhooks/serviceaccount.yaml | 5 +-- 6 files changed, 20 insertions(+), 65 deletions(-) diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml index 550a5749..3741adc4 100644 --- a/keda/templates/manager/clusterrole.yaml +++ b/keda/templates/manager/clusterrole.yaml @@ -56,7 +56,11 @@ rules: resources: - '*/scale' verbs: - - '*' + - get + - list + - patch + - update + - watch {{- else }} - apiGroups: - apps @@ -64,7 +68,11 @@ rules: - deployments/scale - statefulsets/scale verbs: - - '*' + - get + - list + - patch + - update + - watch {{- range .Values.rbac.scaledRefKinds }} - apiGroups: - {{ .apiGroup | quote }} @@ -72,7 +80,11 @@ rules: - {{ .kind | quote }} - {{ printf "%s/scale" .kind | quote }} verbs: - - '*' + - get + - list + - patch + - update + - watch {{- end }} {{- end }} {{- end }} @@ -107,8 +119,6 @@ rules: - apiGroups: - keda.sh resources: - - clustertriggerauthentications - - clustertriggerauthentications/status - scaledjobs - scaledjobs/finalizers - scaledjobs/status diff --git a/keda/templates/manager/minimal-rbac.yaml b/keda/templates/manager/minimal-rbac.yaml index 21af3eae..bc762161 100644 --- a/keda/templates/manager/minimal-rbac.yaml +++ b/keda/templates/manager/minimal-rbac.yaml @@ -73,6 +73,7 @@ rules: - keda.sh resources: - clustertriggerauthentications + - clustertriggerauthentications/status verbs: - '*' {{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} diff --git a/keda/templates/metrics-server/clusterrolebinding.yaml b/keda/templates/metrics-server/clusterrolebinding.yaml index 41ee911d..a81a8b7d 100644 --- a/keda/templates/metrics-server/clusterrolebinding.yaml +++ b/keda/templates/metrics-server/clusterrolebinding.yaml @@ -59,6 +59,6 @@ roleRef: name: {{ .Values.operator.name }}-external-metrics-reader subjects: - kind: ServiceAccount - name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} - namespace: {{ .Release.Namespace }} + name: horizontal-pod-autoscaler + namespace: kube-system {{- end -}} diff --git a/keda/templates/metrics-server/serviceaccount.yaml b/keda/templates/metrics-server/serviceaccount.yaml index 724d6227..7227699a 100644 --- a/keda/templates/metrics-server/serviceaccount.yaml +++ b/keda/templates/metrics-server/serviceaccount.yaml @@ -4,45 +4,14 @@ kind: ServiceAccount metadata: labels: app.kubernetes.io/name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} - {{- if .Values.podIdentity.azureWorkload.enabled }} - azure.workload.identity/use: "true" - {{- end }} {{- include "keda.labels" . | nindent 4 }} - {{- if or .Values.podIdentity.azureWorkload.enabled .Values.podIdentity.aws.irsa.enabled ((.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations) .Values.podIdentity.gcp.enabled }} annotations: {{- if .Values.additionalAnnotations }} {{- toYaml .Values.additionalAnnotations | nindent 4 }} {{- end }} - {{- if .Values.podIdentity.azureWorkload.enabled }} - {{- if .Values.podIdentity.azureWorkload.clientId }} - azure.workload.identity/client-id: {{ .Values.podIdentity.azureWorkload.clientId | quote }} - {{- end }} - {{- if .Values.podIdentity.azureWorkload.tenantId }} - azure.workload.identity/tenant-id: {{ .Values.podIdentity.azureWorkload.tenantId | quote }} - {{- end }} - azure.workload.identity/service-account-token-expiration: {{ .Values.podIdentity.azureWorkload.tokenExpiration | quote }} - {{- end }} - {{- if .Values.podIdentity.aws.irsa.enabled }} - {{- if .Values.podIdentity.aws.irsa.audience }} - eks.amazonaws.com/audience: {{ .Values.podIdentity.aws.irsa.audience | quote }} - {{- end }} - {{- if .Values.podIdentity.aws.irsa.roleArn }} - eks.amazonaws.com/role-arn: {{ .Values.podIdentity.aws.irsa.roleArn | quote }} - {{- end }} - {{- if .Values.podIdentity.aws.irsa.stsRegionalEndpoints }} - eks.amazonaws.com/sts-regional-endpoints: {{ .Values.podIdentity.aws.irsa.stsRegionalEndpoints | quote }} - {{- end }} - eks.amazonaws.com/token-expiration: {{ .Values.podIdentity.aws.irsa.tokenExpiration | quote }} - {{- end }} - {{- if .Values.podIdentity.gcp.enabled }} - {{- if .Values.podIdentity.gcp.gcpIAMServiceAccount }} - iam.gke.io/gcp-service-account: {{ .Values.podIdentity.gcp.gcpIAMServiceAccount }} - {{- end }} - {{- end }} {{- if (.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations }} - {{- toYaml (.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations | nindent 4}} + {{- toYaml ((.Values.serviceAccount.metricServer).annotations | default .Values.serviceAccount.annotations) | nindent 4}} {{- end }} - {{- end }} name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} automountServiceAccountToken: {{ (.Values.serviceAccount.metricServer).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} diff --git a/keda/templates/webhooks/clusterrole.yaml b/keda/templates/webhooks/clusterrole.yaml index 26a091b9..d5808908 100644 --- a/keda/templates/webhooks/clusterrole.yaml +++ b/keda/templates/webhooks/clusterrole.yaml @@ -40,26 +40,4 @@ rules: - limitranges verbs: - list -{{- if and .Values.certificates.autoGenerated ( not .Values.certificates.certManager.enabled ) }} -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - apiregistration.k8s.io - resources: - - apiservices - verbs: - - get - - list - - patch - - update - - watch -{{- end }} {{- end -}} diff --git a/keda/templates/webhooks/serviceaccount.yaml b/keda/templates/webhooks/serviceaccount.yaml index 29012aeb..da5a83a2 100644 --- a/keda/templates/webhooks/serviceaccount.yaml +++ b/keda/templates/webhooks/serviceaccount.yaml @@ -4,16 +4,13 @@ kind: ServiceAccount metadata: labels: app.kubernetes.io/name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} - {{- if .Values.podIdentity.azureWorkload.enabled }} - azure.workload.identity/use: "true" - {{- end }} {{- include "keda.labels" . | nindent 4 }} annotations: {{- if .Values.additionalAnnotations }} {{- toYaml .Values.additionalAnnotations | nindent 4 }} {{- end }} {{- if (.Values.serviceAccount.webhooks).annotations | default .Values.serviceAccount.annotations }} - {{- toYaml (.Values.serviceAccount.webhooks).annotations | default .Values.serviceAccount.annotations | nindent 4}} + {{- toYaml ((.Values.serviceAccount.webhooks).annotations | default .Values.serviceAccount.annotations) | nindent 4}} {{- end }} name: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} From bb34b093761a5c349683cdfcad21857200226071 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Fri, 12 Apr 2024 12:41:26 +0200 Subject: [PATCH 07/13] removing todo Signed-off-by: Jirka Kremser --- keda/templates/metrics-server/clusterrolebinding.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/keda/templates/metrics-server/clusterrolebinding.yaml b/keda/templates/metrics-server/clusterrolebinding.yaml index a81a8b7d..cf877a2d 100644 --- a/keda/templates/metrics-server/clusterrolebinding.yaml +++ b/keda/templates/metrics-server/clusterrolebinding.yaml @@ -41,7 +41,6 @@ subjects: name: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} namespace: {{ .Release.Namespace }} --- -# todo this apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: From 6c063a7673ea188c4f21c4f3fa7ed420b3ac1020 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Fri, 12 Apr 2024 12:48:23 +0200 Subject: [PATCH 08/13] Make the automountServiceAccountToken configurable also for the deployments Signed-off-by: Jirka Kremser --- keda/templates/manager/deployment.yaml | 2 +- keda/templates/metrics-server/deployment.yaml | 2 +- keda/templates/webhooks/deployment.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/keda/templates/manager/deployment.yaml b/keda/templates/manager/deployment.yaml index 52771cda..4b4675c6 100644 --- a/keda/templates/manager/deployment.yaml +++ b/keda/templates/manager/deployment.yaml @@ -56,7 +56,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ (.Values.serviceAccount.operator).name | default .Values.serviceAccount.name }} - automountServiceAccountToken: true + automountServiceAccountToken: {{ (.Values.serviceAccount.operator).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} securityContext: {{- if .Values.podSecurityContext.operator }} {{- toYaml .Values.podSecurityContext.operator | nindent 8 }} diff --git a/keda/templates/metrics-server/deployment.yaml b/keda/templates/metrics-server/deployment.yaml index 38fef6bc..80cc4d84 100644 --- a/keda/templates/metrics-server/deployment.yaml +++ b/keda/templates/metrics-server/deployment.yaml @@ -58,7 +58,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ (.Values.serviceAccount.metricServer).name | default .Values.serviceAccount.name }} - automountServiceAccountToken: true + automountServiceAccountToken: {{ (.Values.serviceAccount.metricServer).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} securityContext: {{- if .Values.podSecurityContext.metricServer }} {{- toYaml .Values.podSecurityContext.metricServer | nindent 8 }} diff --git a/keda/templates/webhooks/deployment.yaml b/keda/templates/webhooks/deployment.yaml index fc8fe370..680401a5 100644 --- a/keda/templates/webhooks/deployment.yaml +++ b/keda/templates/webhooks/deployment.yaml @@ -51,7 +51,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ (.Values.serviceAccount.webhooks).name | default .Values.serviceAccount.name }} - automountServiceAccountToken: true + automountServiceAccountToken: {{ (.Values.serviceAccount.webhooks).automountServiceAccountToken | default .Values.serviceAccount.automountServiceAccountToken }} securityContext: {{- if .Values.podSecurityContext.webhooks }} {{- toYaml .Values.podSecurityContext.webhooks | nindent 8 }} From 9736ebeec7f85ed6ab6ca7b22b4517d75d4e15b9 Mon Sep 17 00:00:00 2001 From: Jirka Kremser <535866+jkremser@users.noreply.github.com> Date: Fri, 12 Apr 2024 16:44:02 +0200 Subject: [PATCH 09/13] Update keda/README.md Co-authored-by: Jan Wozniak Signed-off-by: Jirka Kremser <535866+jkremser@users.noreply.github.com> --- keda/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/README.md b/keda/README.md index c360e041..9ef582de 100644 --- a/keda/README.md +++ b/keda/README.md @@ -111,7 +111,7 @@ their default values. | `priorityClassName` | string | `""` | priorityClassName for all KEDA components | | `rbac.aggregateToDefaultRoles` | bool | `false` | Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) | | `rbac.create` | bool | `true` | Specifies whether RBAC should be used | -| `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether rbac for unseen crds that can have a scale subresource should be created | +| `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether RBAC for configured CRDs that can have a `scale` subresource should be created | | `rbac.scaledRefKinds` | string | `nil` | List of custom resources that support the scale subresource that can be referenced by `scaledobject.spec.scaleTargetRef` the feature needs to be also enabled by `enabledCustomScaledRefKinds` If left empty, rbac for `apiGroups: *` & `resources: */scale` will be created note: Deployments and StatefulSets are supported out of the box | | `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | | `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | From ebcff90b55c0dc2dad0e703a1868df5ddccdcab1 Mon Sep 17 00:00:00 2001 From: Jirka Kremser <535866+jkremser@users.noreply.github.com> Date: Fri, 12 Apr 2024 16:44:16 +0200 Subject: [PATCH 10/13] Update keda/values.yaml Co-authored-by: Jan Wozniak Signed-off-by: Jirka Kremser <535866+jkremser@users.noreply.github.com> --- keda/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/keda/values.yaml b/keda/values.yaml index b9e377b6..ca694343 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -275,7 +275,7 @@ rbac: # -- Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) aggregateToDefaultRoles: false - # -- Whether rbac for unseen crds that can have a scale subresource should be created + # -- Whether RBAC for configured CRDs that can have a `scale` subresource should be created enabledCustomScaledRefKinds: true # -- List of custom resources that support the scale subresource that can be referenced by `scaledobject.spec.scaleTargetRef` # the feature needs to be also enabled by `enabledCustomScaledRefKinds` From d542a49485c5c00c32be35b37c58815273aa7b47 Mon Sep 17 00:00:00 2001 From: Jirka Kremser <535866+jkremser@users.noreply.github.com> Date: Fri, 12 Apr 2024 16:44:54 +0200 Subject: [PATCH 11/13] Update keda/README.md Co-authored-by: Jan Wozniak Signed-off-by: Jirka Kremser <535866+jkremser@users.noreply.github.com> --- keda/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/keda/README.md b/keda/README.md index 9ef582de..3957ae81 100644 --- a/keda/README.md +++ b/keda/README.md @@ -112,7 +112,8 @@ their default values. | `rbac.aggregateToDefaultRoles` | bool | `false` | Specifies whether RBAC for CRDs should be [aggregated](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles) to default roles (view, edit, admin) | | `rbac.create` | bool | `true` | Specifies whether RBAC should be used | | `rbac.enabledCustomScaledRefKinds` | bool | `true` | Whether RBAC for configured CRDs that can have a `scale` subresource should be created | -| `rbac.scaledRefKinds` | string | `nil` | List of custom resources that support the scale subresource that can be referenced by `scaledobject.spec.scaleTargetRef` the feature needs to be also enabled by `enabledCustomScaledRefKinds` If left empty, rbac for `apiGroups: *` & `resources: */scale` will be created note: Deployments and StatefulSets are supported out of the box | +| `rbac.scaledRefKinds` | string | `nil` | List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. The feature needs to be also enabled by `enabledCustomScaledRefKinds`. If left empty, RBAC for `apiGroups: *` and `resources: */scale` will be created. +note: `Deployments` and `StatefulSets` are always enabled | | `securityContext` | object | [See below](#KEDA-is-secure-by-default) | [Security context] for all containers | | `tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) | | `watchNamespace` | string | `""` | Defines Kubernetes namespaces to watch to scale their workloads. Default watches all namespaces | From 2839e9d711bf92f6da3638ef4325668bfe71af72 Mon Sep 17 00:00:00 2001 From: Jirka Kremser <535866+jkremser@users.noreply.github.com> Date: Fri, 12 Apr 2024 16:45:38 +0200 Subject: [PATCH 12/13] Update keda/values.yaml Co-authored-by: Jan Wozniak Signed-off-by: Jirka Kremser <535866+jkremser@users.noreply.github.com> --- keda/values.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/keda/values.yaml b/keda/values.yaml index ca694343..75270c44 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -277,9 +277,9 @@ rbac: # -- Whether RBAC for configured CRDs that can have a `scale` subresource should be created enabledCustomScaledRefKinds: true - # -- List of custom resources that support the scale subresource that can be referenced by `scaledobject.spec.scaleTargetRef` - # the feature needs to be also enabled by `enabledCustomScaledRefKinds` - # If left empty, rbac for `apiGroups: *` & `resources: */scale` will be created + # -- List of custom resources that support the `scale` subresource and can be referenced by `scaledobject.spec.scaleTargetRef`. + # The feature needs to be also enabled by `enabledCustomScaledRefKinds`. + # If left empty, RBAC for `apiGroups: *` and `resources: */scale` will be created # note: Deployments and StatefulSets are supported out of the box scaledRefKinds: # - apiGroup: argoproj.io From 1ad805c673c72c6325196df1408be7acd8db8b14 Mon Sep 17 00:00:00 2001 From: Jirka Kremser Date: Mon, 15 Apr 2024 16:13:19 +0200 Subject: [PATCH 13/13] Give suggestion about the new version of config options for individual service accounts Signed-off-by: Jirka Kremser --- keda/templates/NOTES.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/keda/templates/NOTES.txt b/keda/templates/NOTES.txt index ff3957d4..ccc1325c 100644 --- a/keda/templates/NOTES.txt +++ b/keda/templates/NOTES.txt @@ -61,7 +61,8 @@ WARNING - Running on unsupported Kubernetes version "1.{{.Capabilities.KubeVersi {{- if .Values.serviceAccount.name }} ------------------------------------------------------------------------------------- -WARNING - .serviceAccount.name has been deprecated, please migrate to newest version of the Helm Chart values that allows overriding the service account name for each KEDA component +WARNING - .serviceAccount.name has been deprecated, please migrate to newest version of the Helm Chart values that allows overriding the service account name for each KEDA component. + New version: serviceAccount.{operator,metricServer,webhooks}.{create,name,automountServiceAccountToken,annotations} ------------------------------------------------------------------------------------- {{- end }}