helm: grant hub tokenreviews and label worker pods for internal auth (#1926)

mirror of https://github.com/kubeshark/kubeshark.git synced 2026-05-17 17:14:23 +00:00

* helm: grant hub tokenreviews and pass trusted controllers

Adds RBAC for hub to call the authentication.k8s.io/v1 TokenReview
endpoint, used by the new internalauth middleware to validate projected
ServiceAccountTokens presented by in-cluster gRPC callers.

Adds tap.internalAuth.trustedControllers value (empty by default),
threaded through to hub's -trusted-controllers flag as a CSV. Listing
a controller here lets pods owned by it authenticate to hub via the
projected SA token (audience kubeshark-hub). Hub-spawned Jobs are
always trusted regardless of this list. Hub matches OwnerReferences
by name AND UID, so a name-only forgery does not grant trust.

Sub-issue of kubeshark/hub#656.

* helm: inline trusted controllers in hub deployment template

The chart already knows its own controller names (worker DaemonSet
metadata.name is the literal "kubeshark-worker-daemon-set" in
09-worker-daemon-set.yaml). Pasting the same literal into a user-facing
tap.internalAuth.trustedControllers value adds a step without buying
anything — if the worker DS rename, the deployment template would have
to change in lockstep regardless.

Drop the values knob, render the flag unconditionally with the literal
worker DS name (matching the convention used elsewhere in this chart,
e.g. the hub deployment's {{ include "kubeshark.name" . }}-hub).

* helm: drop redundant comment on tokenreviews RBAC

* helm: drop -trusted-controllers flag (no caller today)

The flag was wiring forward-prep for a hypothetical worker->hub gRPC
caller from the DaemonSet. Hub-spawned Jobs (dissection-job) are
admitted via internalauth.RegisterSpawnedJob, not via this flag.
Re-add when an actual DaemonSet-deployed caller materializes.

* helm: label worker DS pods for hub internal auth

Worker pods don't call hub gRPC today, but pre-labeling the DS pod
template means a future worker->hub gRPC caller is one PR (worker-side)
away from working — no chart change required. Matches the generic
label-driven trust model in hub#783.

* helm: rename trust label to kubeshark.io/internal-auth

Matches the hub rename. Generic name so the same label can mark pods
trusted by future kubeshark services beyond hub.

This commit is contained in:

Volodymyr Stoiko

2026-05-13 20:53:20 +03:00

committed by

GitHub

parent 8186b7891b

commit 7b5954ea00

2 changed files with 7 additions and 0 deletions

									
										6

helm-chart/templates/02-cluster-role.yaml
									
												View File
												
				@@ -44,6 +44,12 @@ rules:

				    - create

				    - update

				    - delete

				  - apiGroups:

				    - authentication.k8s.io

				    resources:

				    - tokenreviews

				    verbs:

				    - create

				---

				apiVersion: rbac.authorization.k8s.io/v1

				kind: Role

									
										1

helm-chart/templates/09-worker-daemon-set.yaml
									
												View File
												
				@@ -21,6 +21,7 @@ spec:

				    metadata:

				      labels:

				        app.kubeshark.com/app: worker

				        kubeshark.io/internal-auth: "true"

				        {{- include "kubeshark.labels" . | nindent 8 }}

				      name: kubeshark-worker-daemon-set

				      namespace: kubeshark

helm: grant hub tokenreviews and label worker pods for internal auth (#1926)

6 helm-chart/templates/02-cluster-role.yaml Unescape Escape View File

1 helm-chart/templates/09-worker-daemon-set.yaml Unescape Escape View File

6

helm-chart/templates/02-cluster-role.yaml

View File

1

helm-chart/templates/09-worker-daemon-set.yaml

View File