refactor: Scope exporter RBAC to namespace for least privilege

Changed the exporter's ClusterRole and ClusterRoleBinding to a namespaced Role and RoleBinding.

This modification ensures that the exporter, by default, only has permissions to get, list, and watch pods within its own installation namespace. This aligns with the default behavior of IPERF_SERVER_NAMESPACE, which also defaults to the pod's own namespace, thereby adhering more strictly to the principle of least privilege.

Verified with `helm template` that the Role and RoleBinding are correctly created within the release namespace.

charts/iperf3-monitor/templates/rbac.yaml

@@ -7,9 +7,10 @@ metadata:
     {{- include "iperf3-monitor.labels" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: {{ include "iperf3-monitor.fullname" . }}-role
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "iperf3-monitor.labels" . | nindent 4 }}
 rules:
@@ -18,9 +19,10 @@ rules:
     verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: {{ include "iperf3-monitor.fullname" . }}-rb
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "iperf3-monitor.labels" . | nindent 4 }}
 subjects:
@@ -28,7 +30,7 @@ subjects:
     name: {{ include "iperf3-monitor.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: ClusterRole
+  kind: Role # Changed from ClusterRole
   name: {{ include "iperf3-monitor.fullname" . }}-role
   apiGroup: rbac.authorization.k8s.io
 {{- end -}}

charts/iperf3-monitor/templates/service.yaml

@@ -11,7 +11,7 @@ spec:
     {{- include "iperf3-monitor.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: exporter
   ports:
-    - name: metrics
+    - name: metrics # Assuming 'metrics' is the intended name, aligns with values structure
-      port: {{ .Values.service.port }}
+      port: {{ .Values.service.main.ports.metrics.port }}
-      targetPort: {{ .Values.service.targetPort }}
+      targetPort: {{ .Values.service.main.ports.metrics.targetPort }}
-      protocol: TCP
+      protocol: {{ .Values.service.main.ports.metrics.protocol | default "TCP" }}

charts/iperf3-monitor/values.yaml

@@ -86,13 +86,15 @@ controllers:
           #       key: mykey
 
         # -- Ports for the exporter container.
+        # Expected by Kubernetes and bjw-s common library as a list of objects.
         ports:
-          metrics: # Name of the port, will be used in Service definition
+          - name: metrics # Name of the port, referenced by Service's targetPort
             # -- Port number for the metrics endpoint on the container.
-            port: 9876 # Default, should match service.targetPort
+            containerPort: 9876
             # -- Protocol for the metrics port.
-            protocol: TCP # Common library defaults to TCP if not specified.
+            protocol: TCP
-            enabled: true # This port is enabled
+            # -- Whether this port definition is enabled. Specific to bjw-s common library.
+            enabled: true
 
         # -- CPU and memory resource requests and limits for the exporter container.
         resources: