Skip to content

feat: add helm var to support RBAC for deploying workspaces in extra namespaces #19517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rowansmithau merged 17 commits into from
Sep 18, 2025
Merged

feat: add helm var to support RBAC for deploying workspaces in extra namespaces #19517

rowansmithau merged 17 commits into from
Sep 18, 2025

Conversation

@rowansmithau
Copy link
Contributor

@rowansmithau rowansmithau commented Aug 25, 2025
edited
Loading

This is a feature to create Role & RoleBinding entries on a per namespace basis to support deploying workspaces in separate namespace to where Coder is deployed. The idea behind this is to avoid the creation of custom RBAC entries or the use of ClusterRoles (in order to maintain priciple of least privilege).

If you have used AI to produce some or all of this PR, please ensure you have read our AI Contribution guidelines before submitting.

This is a blink assisted PR.

Example helm template without coder.serviceAccount.workspaceNamespaces enabled (existing behaviour as of current release) is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace.

➜  coder git:(feat/helm_namespace_rbac_improvements) ✗ helm template -n coder coder . --set coder.image.tag=v2.25.1
---
...
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: coder
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: coder
subjects:
  - kind: ServiceAccount
    name: "coder"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---

Example helm template with coder.serviceAccount.workspaceNamespaces enabled is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace PLUS a Role and RoleBinding in the dev-ws namespace with each of the RoleBindings referencing the coder SA in the coder (.Release.Namespace) namespace:

➜  coder git:(feat/helm_namespace_rbac_improvements) ✗ helm template -n coder coder . --set coder.image.tag=v2.25.1 --set-json 'coder.serviceAccount.workspaceNamespaces=[{"name":"dev-ws","workspacePerms":true,"enableDeployments":true,"extraRules":[]}]' 
---
...
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: coder
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: dev-ws
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: coder
subjects:
  - kind: ServiceAccount
    name: "coder"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: dev-ws
subjects:
  - kind: ServiceAccount
    name: "coder"
    namespace: coder
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---

@rowansmithau
feature to create Role & RoleBinding entries on a per namespace basis…
ae9822b 
… to support deploying workspaces in separate namespace to where Coder is deployed
@rowansmithau
default new param to false
96db050
@rowansmithau rowansmithau added the helm Area: helm chart label Aug 25, 2025
@rowansmithau rowansmithau changed the title feat: new helm parameter to support provisioning RBAC for deploying workspaces in additional namespaces feat: helm var to support RBAC for deploying workspaces in extra namespaces Aug 25, 2025
@rowansmithau rowansmithau changed the title feat: helm var to support RBAC for deploying workspaces in extra namespaces feat: add helm var to support RBAC for deploying workspaces in extra namespaces Aug 25, 2025
deansheather
deansheather reviewed Aug 27, 2025
View reviewed changes
@github-actions github-actions bot added the stale This issue is like stale bread. label Sep 4, 2025
@rowansmithau rowansmithau force-pushed the feat/helm_namespace_rbac_improvements branch from df3b609 to 28158a9 Compare September 8, 2025 01:11
deansheather
deansheather reviewed Sep 8, 2025
View reviewed changes
deansheather
deansheather reviewed Sep 10, 2025
View reviewed changes
Copy link
Member

@deansheather deansheather left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, would like to see a new test which flexes all of the new functionality for this though

deansheather
deansheather approved these changes Sep 17, 2025
View reviewed changes
Copy link
Member

@deansheather deansheather left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code looks good, and the generated RBAC looks correct as well

@rowansmithau rowansmithau merged commit 6238937 into main Sep 18, 2025
28 checks passed
@rowansmithau rowansmithau deleted the feat/helm_namespace_rbac_improvements branch September 18, 2025 04:27
@github-actions github-actions bot locked and limited conversation to collaborators Sep 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@deansheather deansheather deansheather approved these changes

Assignees

@rowansmithau rowansmithau

Labels

helm Area: helm chart stale This issue is like stale bread.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rowansmithau @deansheather