For a fresh installation using the default configuration:
$ helm template example -n helmgress /tmp/symkong | grep -i kind
kind: ServiceAccount
kind: ConfigMap
kind: CustomResourceDefinition
kind: KongConsumer
kind: CustomResourceDefinition
kind: KongCredential
kind: CustomResourceDefinition
kind: KongPlugin
kind: CustomResourceDefinition
kind: KongClusterPlugin
kind: CustomResourceDefinition
kind: KongIngress
kind: CustomResourceDefinition
kind: TCPIngress
kind:
kind: ""
kind: ClusterRole
kind: ClusterRoleBinding
kind: ClusterRole
- kind: ServiceAccount
kind: Role
kind: RoleBinding
kind: Role
- kind: ServiceAccount
kind: Service
kind: Deployment
I believe only the items you’ve already mentioned (CRDs and the ClusterRole* resources) will normally require special permissions (ability to create cluster-wide resources, for the most part)
CRDs can be handled via https://github.com/Kong/charts/blob/master/charts/kong/README.md#crds-only or by sending https://github.com/Kong/charts/blob/master/charts/kong/crds/custom-resource-definitions.yaml through kubectl apply: Helm 3 doesn’t manage CRDs as part of the release (it only creates them at install if needed) and we don’t have any templating in that file, so in practice it’s often easiest to have a cluster admin create the CRDs directly. They will require updates occasionally, but UPGRADE.md will indicate when that’s necessary.
The cluster RBAC resources may be a bit more difficult to work with because they are templated (mainly to reference the ServiceAccount’s name). We may want to explore reduced-permissions templates in the future to work with the single-namespace deployment model discussed in Kong Ingress Controller without ClusterRole creation, but don’t have anything like that currently.
In lieu of support in the existing templates, that’d probably require merging permissions from the ClusterRole into the Role by hand and maintaining your own fork of the chart until there’s native support for it (we don’t have a timeline, but I’ll mark it down as something to look into).