feat: add clusterAccess option for Kubernetes RBAC #18

Merged

cpfarhood merged 2 commits from feat/cluster-access-rbac into main 2026-02-20 16:31:35 +00:00

Conversation 0 Commits 2 Files Changed 4

+315 -345

cpfarhood commented 2026-02-20 16:25:42 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

Adds a clusterAccess value to the Helm chart that controls what Kubernetes RBAC is provisioned for the devcontainer pod.

Value	Resources created	Access
none (default)	none	no cluster access
readonlyns	ServiceAccount + Role + RoleBinding	get/list/watch all resources in release namespace
readwritens	ServiceAccount + Role + RoleBinding	full access to all resources in release namespace
readonly	ServiceAccount + ClusterRole + ClusterRoleBinding	get/list/watch all resources cluster-wide
readwrite	ServiceAccount + ClusterRole + ClusterRoleBinding	full access to all resources cluster-wide

The ServiceAccount is bound to the Deployment via serviceAccountName whenever clusterAccess != none.

Usage

# values override
clusterAccess: readonlyns

Test plan

• helm template with each access level renders expected resources
• clusterAccess: none (default) produces no ServiceAccount/Role/Binding resources
• Deploy with readonlyns — confirm pod can kubectl get pods -n <ns> but not cluster-wide
• Deploy with readonly — confirm pod can kubectl get nodes
• Deploy with none — confirm no cluster API access

🤖 Generated with Claude Code

## Summary Adds a `clusterAccess` value to the Helm chart that controls what Kubernetes RBAC is provisioned for the devcontainer pod. | Value | Resources created | Access | |-------|------------------|--------| | `none` (default) | none | no cluster access | | `readonlyns` | ServiceAccount + Role + RoleBinding | get/list/watch all resources in release namespace | | `readwritens` | ServiceAccount + Role + RoleBinding | full access to all resources in release namespace | | `readonly` | ServiceAccount + ClusterRole + ClusterRoleBinding | get/list/watch all resources cluster-wide | | `readwrite` | ServiceAccount + ClusterRole + ClusterRoleBinding | full access to all resources cluster-wide | The ServiceAccount is bound to the Deployment via `serviceAccountName` whenever `clusterAccess != none`. ## Usage ```yaml # values override clusterAccess: readonlyns ``` ## Test plan - [ ] `helm template` with each access level renders expected resources - [ ] `clusterAccess: none` (default) produces no ServiceAccount/Role/Binding resources - [ ] Deploy with `readonlyns` — confirm pod can `kubectl get pods -n <ns>` but not cluster-wide - [ ] Deploy with `readonly` — confirm pod can `kubectl get nodes` - [ ] Deploy with `none` — confirm no cluster API access 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

antigravity

architecture

automation

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

examples

good first issue

Good for newcomers

helm

help wanted

Extra attention is needed

invalid

This doesn't seem right

maintainability

monitoring

question

Further information is requested

refactor

tooling

user-experience

validation

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

fl_blake (Blake MIddleware) cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) flux (Flux CD) admin (Gitea Admin) fl_hugh (Hugh Commit) renovate (Mend Renovate) fl_warren (Warren Bufferpool)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: farhoodlabs/devcontainer#18