Skip to content

feat: add helm var to support RBAC for deploying workspaces in extra namespaces #19517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add helm var to support RBAC for deploying workspaces in extra namespaces #19517

wants to merge 3 commits into from

Conversation

rowansmithau
Copy link
Contributor

This is a feature to create Role & RoleBinding entries on a per namespace basis to support deploying workspaces in separate namespace to where Coder is deployed. The idea behind this is to avoid the creation of custom RBAC entries or the use of ClusterRoles (in order to maintain priciple of least privilege).

If you have used AI to produce some or all of this PR, please ensure you have read our AI Contribution guidelines before submitting.

This is a blink assisted PR.

Example helm template without coder.serviceAccount.workspaceNamespaces.enabled enabled (existing behaviour as of current release) is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace.

➜  helm git:(feat/helm_namespace_rbac_improvements) helm template -n coder coder coder --set coder.image.tag=2.25.1 --set coder.serviceAccount.workspaceNamespaces.enabled=false
---
# Source: coder/templates/coder.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations: {}
  labels:
    app.kubernetes.io/instance: coder
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: coder
    app.kubernetes.io/part-of: coder
    app.kubernetes.io/version: 0.1.0
    helm.sh/chart: coder-0.1.0
  name: coder
  namespace: coder
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: coder
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: coder
subjects:
  - kind: ServiceAccount
    name: "coder"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/service.yaml

Example helm template with coder.serviceAccount.workspaceNamespaces.enabled enabled is below. Outcome = 1 x SA, 1 x Role, 1 x RoleBinding, all in the coder (.Release.Namespace) namespace PLUS a Role and RoleBinding in each of the dev and staging namespaces with each of the RoleBindings referencing the coder SA in the coder namespace:

➜  helm git:(feat/helm_namespace_rbac_improvements) helm template -n coder coder coder --set coder.image.tag=2.25.1 --set coder.serviceAccount.workspaceNamespaces.enabled=true --set "coder.serviceAccount.workspaceNamespaces.namespaces={dev,staging}"
---
# Source: coder/templates/coder.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations: {}
  labels:
    app.kubernetes.io/instance: coder
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: coder
    app.kubernetes.io/part-of: coder
    app.kubernetes.io/version: 0.1.0
    helm.sh/chart: coder-0.1.0
  name: coder
  namespace: coder
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: coder
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: dev
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: coder-workspace-perms
  namespace: staging
rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups: [""]
    resources: ["persistentvolumeclaims"]
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
  - apiGroups:
    - apps
    resources:
    - deployments
    verbs:
    - create
    - delete
    - deletecollection
    - get
    - list
    - patch
    - update
    - watch
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: coder
subjects:
  - kind: ServiceAccount
    name: "coder"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: dev
subjects:
  - kind: ServiceAccount
    name: "coder"
    namespace: coder
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: "coder"
  namespace: staging
subjects:
  - kind: ServiceAccount
    name: "coder"
    namespace: coder
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: coder-workspace-perms
---
# Source: coder/templates/service.yaml

@rowansmithau
feature to create Role & RoleBinding entries on a per namespace basis…
ae9822b 
… to support deploying workspaces in separate namespace to where Coder is deployed
@rowansmithau
default new param to false
96db050
@rowansmithau rowansmithau added the helm Area: helm chart label Aug 25, 2025
@rowansmithau rowansmithau changed the title feat: new helm parameter to support provisioning RBAC for deploying workspaces in additional namespaces feat: helm var to support RBAC for deploying workspaces in extra namespaces Aug 25, 2025
@rowansmithau rowansmithau changed the title feat: helm var to support RBAC for deploying workspaces in extra namespaces feat: add helm var to support RBAC for deploying workspaces in extra namespaces Aug 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rowansmithau rowansmithau

Labels
helm Area: helm chart
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rowansmithau