rackerlabs · rackerchris · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025 · Oct 9, 2025
diff --git a/applications/base/services/rbac-manager/README.md b/applications/base/services/rbac-manager/README.md
@@ -0,0 +1,14 @@
+# RBAC Manager – Base Configuration
+
+This directory contains the **base manifests** for deploying [RBAC Manager](https://github.com/FairwindsOps/rbac-manager), a Kubernetes operator that simplifies the management of RoleBindings and ClusterRoleBindings.  
+It is designed to be **consumed by cluster repositories** as a remote base, allowing each cluster to apply **custom overrides** as needed.
+
+**About RBAC Manager:**
+
+- Automates the creation and maintenance of **Kubernetes RBAC roles and bindings** using declarative configurations.  
+- Introduces the `RBACDefinition` custom resource to manage multiple roles and bindings in a single YAML file.  
+- Simplifies access control management for users, groups, and service accounts across namespaces.  
+- Reduces manual errors and configuration drift by keeping RBAC resources consistent and version-controlled.  
+- Supports both **namespaced** and **cluster-wide** role management, making it suitable for multi-team or multi-tenant clusters.  
+- Commonly used to manage platform-level access, application team permissions, and read-only auditor roles.  
+- Improves security and governance by providing a consistent and automated approach to RBAC configuration.  
diff --git a/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml b/applications/base/services/rbac-manager/helm-values/hardened-values-1.21.1.yaml
@@ -0,0 +1,129 @@
+---
+# Hardened values for rbac-manager v1.21.1 (app version v1.9.2)
+# RBAC Manager for automated RBAC management
+# Based on official Fairwinds chart values and documentation
+
+# Image configuration
+image:
+  repository: quay.io/reactiveops/rbac-manager
+  tag: v1.9.2
+  digest: ""
+  pullPolicy: Always
+  imagePullSecrets: []
+
+# Install CRDs
+installCRDs: true
+
+# CRD configuration
+crds:
+  additionalLabels:
+    app.kubernetes.io/component: rbac-manager
+    app.kubernetes.io/part-of: openCenter
+
+# RBAC configuration
+rbac:
+  additionalLabels:
+    app.kubernetes.io/component: rbac-manager
+    app.kubernetes.io/part-of: openCenter
+
+# Resource management - aligned with official defaults but with hardened limits
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 200m
+    memory: 256Mi
+
+# Priority class for system-critical workload
+priorityClassName: "system-cluster-critical"
+
+# Node scheduling
+nodeSelector:
+  kubernetes.io/os: linux
+
+# Tolerations for system nodes
+tolerations:
+  - key: node-role.kubernetes.io/control-plane
+    operator: Exists
+    effect: NoSchedule
+  - key: node-role.kubernetes.io/master
+    operator: Exists
+    effect: NoSchedule
+
+# Affinity for better distribution
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+              - key: app.kubernetes.io/name
+                operator: In
+                values:
+                  - rbac-manager
+          topologyKey: kubernetes.io/hostname
+
+# Pod annotations for enhanced monitoring
+podAnnotations:
+  cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
+  prometheus.io/scrape: "true"
+  prometheus.io/port: "8080"
+  prometheus.io/path: "/metrics"
+
+# Pod labels
+podLabels:
+  app.kubernetes.io/component: rbac-manager
+  app.kubernetes.io/part-of: openCenter
+
+# Pod security context - enhanced security
+podSecurityContext:
+  runAsNonRoot: true
+  runAsUser: 65534
+  runAsGroup: 65534
+  fsGroup: 65534
+  seccompProfile:
+    type: RuntimeDefault
+
+# Container security context - official recommendations with enhancements
+securityContext:
+  allowPrivilegeEscalation: false
+  privileged: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  capabilities:
+    drop:
+      - ALL
+
+# Deployment labels
+deploymentLabels:
+  app.kubernetes.io/component: rbac-manager
+  app.kubernetes.io/part-of: openCenter
+
+# Service Monitor for Prometheus - enabled with proper configuration
+serviceMonitor:
+  enabled: true
+  additionalLabels:
+    app.kubernetes.io/component: rbac-manager
+    app.kubernetes.io/part-of: openCenter
+  annotations:
+    prometheus.io/scrape: "true"
+  namespace: rbac-system
+  interval: 30s
+  relabelings:
+    - sourceLabels: [__meta_kubernetes_pod_name]
+      targetLabel: pod
+    - sourceLabels: [__meta_kubernetes_namespace]
+      targetLabel: namespace
+
+# Extra arguments for enhanced functionality
+extraArgs:
+  # Enable metrics endpoint
+  metrics-address: "0.0.0.0:8042"
+  # Set log level
+  v: "2"
+  # Enable leader election for HA
+  # leader-elect: "true"
+  # Set reconcile period
+  # sync-period: "30s"
diff --git a/applications/base/services/rbac-manager/helmrelease.yaml b/applications/base/services/rbac-manager/helmrelease.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: rbac-manager
+  namespace: rbac-system
+spec:
+  releaseName: rbac-manager
+  interval: 5m
+  timeout: 10m
+  driftDetection:
+    mode: enabled
+  install:
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+  upgrade:
+    remediation:
+      retries: 0
+      remediateLastFailure: false
+  targetNamespace: rbac-system
+  chart:
+    spec:
+      chart: rbac-manager
+      version: 1.21.1
+      sourceRef:
+        kind: HelmRepository
+        name: fairwinds-stable
+        namespace: rbac-system
+  valuesFrom:
+    - kind: Secret
+      name: rbac-manager-values-base
+      valuesKey: hardened.yaml
+    - kind: Secret
+      name: rbac-manager-values-override
+      valuesKey: override.yaml
+      optional: true
diff --git a/applications/base/services/rbac-manager/kustomization.yaml b/applications/base/services/rbac-manager/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - "namespace.yaml"
+  - "source.yaml"
+  - "helmrelease.yaml"
+secretGenerator:
+  - name: rbac-manager-values-base
+    type: Opaque
+    files: [hardened.yaml=helm-values/hardened-values-1.21.1.yaml]
+    options:
+      disableNameSuffixHash: true
diff --git a/applications/base/services/rbac-manager/namespace.yaml b/applications/base/services/rbac-manager/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: rbac-system
diff --git a/applications/base/services/rbac-manager/source.yaml b/applications/base/services/rbac-manager/source.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: fairwinds-stable
+spec:
+  url: https://charts.fairwinds.com/stable
+  interval: 1h