PLATFORM-2481 - allow prometheus-operator to modify deployments and stateful...

PLATFORM-2481 - allow prometheus-operator to modify deployments and stateful sets in tenant namespaces Changelog: updated

PLATFORM-2481 - allow prometheus-operator to modify deployments and stateful...
PLATFORM-2481 - allow prometheus-operator to modify deployments and stateful sets in tenant namespaces Changelog: updated
83ea2694 · Brandon Booker · 95f49f85 · 83ea2694 · 83ea2694 · 83ea2694
Commit 83ea2694 authored 10 months ago by Brandon Booker
--- a/Chart.yaml
+++ b/Chart.yaml
 apiVersion: v2
 name: constraint-templates
-version: 1.6.1
+version: 1.6.2
 appVersion: 1.0.0
--- a/rego/allow_rollout_restart_deployment/policy.rego
+++ b/rego/allow_rollout_restart_deployment/policy.rego
@@ -3,6 +3,7 @@ package allow_rollout_restart_deployment
 # Violation caused when user is not the local flux, nor stakater-reloader, and not in the admin group, trying to use UPDATE to change a DEPLOYMENT. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
+    not input.review.userInfo.username == "system:serviceaccount:platform-prometheus-stack:prometheus-kube-prometheus-operator"
    flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
    not input.review.userInfo.username == flux_username
    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")

--- a/rego/allow_rollout_restart_statefulset/policy.rego
+++ b/rego/allow_rollout_restart_statefulset/policy.rego
@@ -3,6 +3,7 @@ package allow_rollout_restart_statefulset
 # Violation caused when user is not local flux, not the stakater-reloader, and not in the admin group, trying to use UPDATE to change a StatefulSet. The old annotations get patched with a value to build the datastructure, but it gets removed in the next step, so the value is innocuous.
 violation[{"msg": msg}] {
    not input.review.userInfo.username == "system:serviceaccount:platform-stakater-reloader:stakater-reloader"
+    not input.review.userInfo.username == "system:serviceaccount:platform-prometheus-stack:prometheus-kube-prometheus-operator"
    flux_username := concat("",["system:serviceaccount:",input.review.namespace,":flux"])
    not input.review.userInfo.username == flux_username
    not contains(input.review.userInfo.groups, "oidc:it.platform.roles.admin")