kedacore
/
charts
mirror of https://github.com/kedacore/charts.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow Keda to request SA tokens (#728) 

* Allow Keda to request SA tokens

Signed-off-by: Bojan Zelic <bnzelic@gmail.com>

* Allow Keda to request SA tokens

Signed-off-by: Bojan Zelic <bnzelic@gmail.com>

* Allow Keda to request SA tokens

Signed-off-by: Bojan Zelic <bnzelic@gmail.com>

---------

Signed-off-by: Bojan Zelic <bnzelic@gmail.com>
This commit is contained in:
Bojan Zelic 2025-09-15 01:00:46 -07:00 committed by GitHub
parent a25ca18364
commit 6aa9877935
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
keda/README.md
View File

@ -145,6 +145,7 @@ their default values.
| `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) |
| `permissions.operator.restrict.namesAllowList` | list | `[]` | Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account also the configured `watchNamespace`. the default is an empty array -> no restriction on the secret name |
| `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace |
| `permissions.operator.restrict.allowAllServiceAccountTokenCreation` | bool | `false` | Restrict Service Account Token Creation Access for KEDA operator |
| `permissions.operator.restrict.serviceAccountTokenCreationRoles` | list | `[]` | Creates roles and rolebindings from namespaced service accounts in the array which allow the KEDA operator to request service account tokens for use with the boundServiceAccountToken trigger source. If the namespace does not exist, this will cause the helm chart installation to fail. |
| `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator |
| `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] |

8
keda/templates/manager/clusterrole.yaml
View File

@ -24,6 +24,14 @@ rules:
- get
- list
- watch
{{- if eq .Values.permissions.operator.restrict.allowAllServiceAccountTokenCreation true }}
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create
{{- end }}
- apiGroups:
- ""
resources:

2
keda/values.yaml
View File

@ -872,6 +872,8 @@ permissions:
serviceAccountTokenCreationRoles: []
# - name: myServiceAccount
# namespace: myServiceAccountNamespace
# -- Allow Keda to access all Service Token for KEDA operator
allowAllServiceAccountTokenCreation: false
# -- Array of extra K8s manifests to deploy
extraObjects: []