From bda878da3aa8309e7314893a2fa4b50491567446 Mon Sep 17 00:00:00 2001 From: Michael Zaccari Date: Fri, 28 Mar 2025 09:07:32 -0400 Subject: [PATCH 1/2] Add knob for creating ClusterRoleBinding A knob already exists for the ClusterRole. When deploying `nginx-ingress` into multiple namespaces within the same cluster, it is possible for the ClusterRoleBinding to be overwritten, causing the controllers to get into a bad state with their RBAC. Having this knob in place allows an operator to own the CRB and not compete against the helm chart when `rbac.clusterrolebinding.create: false`. --- charts/nginx-ingress/templates/clusterrolebinding.yaml | 2 +- charts/nginx-ingress/values.yaml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/charts/nginx-ingress/templates/clusterrolebinding.yaml b/charts/nginx-ingress/templates/clusterrolebinding.yaml index ed06c48ccb..2942b65497 100644 --- a/charts/nginx-ingress/templates/clusterrolebinding.yaml +++ b/charts/nginx-ingress/templates/clusterrolebinding.yaml @@ -1,4 +1,4 @@ -{{- if .Values.rbac.create }} +{{- if and .Values.rbac.create .Values.rbac.clusterrolebinding.create }} kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: diff --git a/charts/nginx-ingress/values.yaml b/charts/nginx-ingress/values.yaml index d9af078893..5a97234352 100644 --- a/charts/nginx-ingress/values.yaml +++ b/charts/nginx-ingress/values.yaml @@ -602,6 +602,10 @@ rbac: ## Create ClusterRole create: true + clusterrolebinding: + ## Create ClusterRoleBinding + create: true + prometheus: ## Expose NGINX or NGINX Plus metrics in the Prometheus format. create: true From 82a0b104f9a79cf5370b753155cde306f1cf6b0c Mon Sep 17 00:00:00 2001 From: Michael Zaccari Date: Fri, 28 Mar 2025 09:12:13 -0400 Subject: [PATCH 2/2] Update documentation for ClusterRoleBinding knob --- .../installation/installing-nic/installation-with-helm.md | 1 + 1 file changed, 1 insertion(+) diff --git a/site/content/installation/installing-nic/installation-with-helm.md b/site/content/installation/installing-nic/installation-with-helm.md index e02fb019cf..63252a059d 100644 --- a/site/content/installation/installing-nic/installation-with-helm.md +++ b/site/content/installation/installing-nic/installation-with-helm.md @@ -464,6 +464,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont | **controller.enableWeightChangesDynamicReload** | Enable weight changes without reloading the NGINX configuration. May require increasing `map_hash_bucket_size`, `map_hash_max_size`, `variable_hash_bucket_size`, and `variable_hash_max_size` in the [ConfigMap](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/configmap-resource/) if there are many two-way splits. Requires `controller.nginxplus` | false | | **rbac.create** | Configures RBAC. | true | | **rbac.clusterrole.create** | Configures creation of ClusterRole. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true | +| **rbac.clusterrolebinding.create** | Configures creation of ClusterRoleBinding. Creation can be disabled when more fine-grained control over RBAC is required. For example when controller.watchNamespace is used. | true | | **prometheus.create** | Expose NGINX or NGINX Plus metrics in the Prometheus format. | true | | **prometheus.port** | Configures the port to scrape the metrics. | 9113 | | **prometheus.scheme** | Configures the HTTP scheme to use for connections to the Prometheus endpoint. | http |