From 2a230996cb143e5e604ae05c4c34164f347b1338 Mon Sep 17 00:00:00 2001 From: Kishor Joshi Date: Mon, 10 Jul 2023 13:45:09 -0700 Subject: [PATCH] controller manifest for kustomize (#13) * controller manifest for kustomize modify resource names to amazon-network-policy-controller-k8s * pass go runner image as arg --- Dockerfile | 37 ++++--- Makefile | 27 +++-- config/controller/controller.yaml | 40 +++++++ config/controller/kustomization.yaml | 8 ++ config/crd/kustomization.yaml | 2 +- config/default/kustomization.yaml | 49 +++++---- config/default/manager_auth_proxy_patch.yaml | 6 +- config/default/manager_config_patch.yaml | 4 +- config/manager/kustomization.yaml | 2 - config/manager/manager.yaml | 102 ------------------ config/prometheus/monitor.yaml | 8 +- config/rbac/auth_proxy_role_binding.yaml | 2 +- config/rbac/auth_proxy_service.yaml | 8 +- config/rbac/kustomization.yaml | 10 +- config/rbac/leader_election_role.yaml | 56 +++++----- config/rbac/leader_election_role_binding.yaml | 7 +- config/rbac/role.yaml | 20 +++- config/rbac/role_binding.yaml | 28 ++++- config/rbac/service_account.yaml | 7 +- 19 files changed, 198 insertions(+), 225 deletions(-) create mode 100644 config/controller/controller.yaml create mode 100644 config/controller/kustomization.yaml delete mode 100644 config/manager/kustomization.yaml delete mode 100644 config/manager/manager.yaml diff --git a/Dockerfile b/Dockerfile index ef4cfaf..dc36920 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,13 @@ -# Build the manager binary -FROM golang:1.19 as builder -ARG TARGETOS -ARG TARGETARCH +ARG BASE_IMAGE +ARG BUILD_IMAGE +ARG GO_RUNNER_IMAGE +ARG ARCH=amd64 +# Build the controller binary +FROM $BUILD_IMAGE as builder WORKDIR /workspace +ENV GOPROXY direct + # Copy the Go Modules manifests COPY go.mod go.mod COPY go.sum go.sum @@ -12,22 +16,27 @@ COPY go.sum go.sum RUN go mod download # Copy the go source +COPY .git/ .git/ COPY cmd/main.go cmd/main.go COPY api/ api/ +COPY pkg/ pkg/ COPY internal/controller/ internal/controller/ +# Version package for passing the ldflags +# TODO: change this to network controller's version +ENV VERSION_PKG=https://github.com/aws/amazon-network-policy-controller-k8s/pkg/version # Build -# the GOARCH has not a default value to allow the binary be built according to the host where the command -# was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO -# the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, -# by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/main.go +RUN GIT_VERSION=$(git describe --tags --always) && \ + GIT_COMMIT=$(git rev-parse HEAD) && \ + BUILD_DATE=$(date +%Y-%m-%dT%H:%M:%S%z) && \ + CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} GO111MODULE=on go build \ + -ldflags="-X ${VERSION_PKG}.GitVersion=${GIT_VERSION} -X ${VERSION_PKG}.GitCommit=${GIT_COMMIT} -X ${VERSION_PKG}.BuildDate=${BUILD_DATE}" -a -o controller main.go + +FROM $BASE_IMAGE -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder /workspace/manager . +COPY --from=$GO_RUNNER_IMAGE /go-runner /usr/local/bin/go-runner +COPY --from=builder /workspace/controller . USER 65532:65532 -ENTRYPOINT ["/manager"] +ENTRYPOINT ["/controller"] diff --git a/Makefile b/Makefile index 740a89d..689ec3e 100644 --- a/Makefile +++ b/Makefile @@ -57,14 +57,13 @@ help: ## Display this help. .PHONY: manifests manifests: controller-gen ## Generate WebhookConfiguration, ClusterRole and CustomResourceDefinition objects. - $(CONTROLLER_GEN) rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases + $(CONTROLLER_GEN) rbac:roleName=controller-k8s crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases .PHONY: generate generate: controller-gen mockgen ## Generate code containing DeepCopy, DeepCopyInto, and DeepCopyObject method implementations. $(CONTROLLER_GEN) object:headerFile="hack/boilerplate.go.txt" paths="./..." MOCKGEN=$(MOCKGEN) ./scripts/gen_mocks.sh - .PHONY: fmt fmt: ## Run go fmt against code. go fmt ./... @@ -80,8 +79,8 @@ test: manifests generate fmt vet envtest ## Run tests. ##@ Build .PHONY: build -build: manifests generate fmt vet ## Build manager binary. - go build -o bin/manager cmd/main.go +build: manifests generate fmt vet ## Build controller binary. + go build -o bin/controller cmd/main.go .PHONY: run run: manifests generate fmt vet ## Run a controller from your host. @@ -98,16 +97,6 @@ image-push: ko BUILD_DATE=$(shell date +%Y-%m-%dT%H:%M:%S%z) \ $(KO) build --tags $(word 2,$(subst :, ,${IMG})) --platform=${PLATFORM} --bare --sbom ${IMG_SBOM} ./cmd -.PHONY: docker-buildx -docker-buildx: test ## Build and push docker image for the manager for cross-platform support - # copy existing Dockerfile and insert --platform=${BUILDPLATFORM} into Dockerfile.cross, and preserve the original Dockerfile - sed -e '1 s/\(^FROM\)/FROM --platform=\$$\{BUILDPLATFORM\}/; t' -e ' 1,// s//FROM --platform=\$$\{BUILDPLATFORM\}/' Dockerfile > Dockerfile.cross - - docker buildx create --name project-v3-builder - docker buildx use project-v3-builder - - docker buildx build --push --platform=$(PLATFORMS) --tag ${IMG} -f Dockerfile.cross . - - docker buildx rm project-v3-builder - rm Dockerfile.cross - ##@ Deployment ifndef ignore-not-found @@ -124,7 +113,7 @@ uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified .PHONY: deploy deploy: manifests kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config. - cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG} + cd config/controller && $(KUSTOMIZE) edit set image controller=${IMG} $(KUSTOMIZE) build config/default | kubectl apply -f - .PHONY: undeploy @@ -179,3 +168,11 @@ $(KO): $(LOCALBIN) mockgen: $(MOCKGEN) $(MOCKGEN): $(LOCALBIN) test -s $(MOCKGEN) || GOBIN=$(LOCALBIN) go install github.com/golang/mock/mockgen@v1.6.0 + +GOARCH=amd64 +BUILD_IMAGE=public.ecr.aws/docker/library/golang:1.20.5 +BASE_IMAGE=public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:latest.2 +GO_RUNNER_IMAGE=public.ecr.aws/eks-distro/kubernetes/go-runner:v0.15.0-eks-1-27-3 +.PHONY: docker-buildx +docker-buildx: test + docker buildx build --platform=$(PLATFORMS) -t $(IMG)-$(GOARCH) --build-arg BASE_IMAGE=$(BASE_IMAGE) --build-arg BUILD_IMAGE=$(BUILD_IMAGE) --build-arg $(GOARCH) --load . diff --git a/config/controller/controller.yaml b/config/controller/controller.yaml new file mode 100644 index 0000000..aec76bf --- /dev/null +++ b/config/controller/controller.yaml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: controller-k8s + labels: + app.kubernetes.io/component: controller +spec: + selector: + matchLabels: + app.kubernetes.io/component: controller + replicas: 1 + template: + metadata: + annotations: + kubectl.kubernetes.io/default-container: controller + labels: + app.kubernetes.io/component: controller + spec: + containers: + - image: controller:latest + name: controller + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + serviceAccountName: controller-k8s + terminationGracePeriodSeconds: 10 \ No newline at end of file diff --git a/config/controller/kustomization.yaml b/config/controller/kustomization.yaml new file mode 100644 index 0000000..67a62e4 --- /dev/null +++ b/config/controller/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- controller.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +images: +- name: controller + newName: public.ecr.aws/eks/amazon-network-policy-controller-k8s + newTag: v0.5.0 diff --git a/config/crd/kustomization.yaml b/config/crd/kustomization.yaml index 82af5cd..ce55337 100644 --- a/config/crd/kustomization.yaml +++ b/config/crd/kustomization.yaml @@ -11,7 +11,7 @@ patchesStrategicMerge: #- patches/webhook_in_policyendpoints.yaml #+kubebuilder:scaffold:crdkustomizewebhookpatch -# [CERTMANAGER] To enable cert-manager, uncomment all the sections with [CERTMANAGER] prefix. +# [CERTMANAGER] To enable cert-controller, uncomment all the sections with [CERTMANAGER] prefix. # patches here are for enabling the CA injection for each CRD #- patches/cainjection_in_policyendpoints.yaml #+kubebuilder:scaffold:crdkustomizecainjectionpatch diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index e09c690..44c0d26 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,36 +1,35 @@ # Adds namespace to all resources. -namespace: amazon-network-policy-controller-k8s-system +namespace: kube-system # Value of this field is prepended to the # names of all resources, e.g. a deployment named # "wordpress" becomes "alices-wordpress". # Note that it should also match with the prefix (text before '-') of the namespace # field above. -namePrefix: amazon-network-policy-controller-k8s- +namePrefix: amazon-network-policy- # Labels to add to all resources and selectors. -#labels: -#- includeSelectors: true -# pairs: -# someName: someValue +# Labels to add to all resources and selectors. +commonLabels: + app.kubernetes.io/name: amazon-network-policy-controller-k8s resources: - ../crd - ../rbac -- ../manager +- ../controller # [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in # crd/kustomization.yaml #- ../webhook -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. +# [CERTMANAGER] To enable cert-controller, uncomment all sections with 'CERTMANAGER'. 'WEBHOOK' components are required. #- ../certmanager # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'. #- ../prometheus patchesStrategicMerge: # Protect the /metrics endpoint by putting it behind auth. -# If you want your controller-manager to expose the /metrics +# If you want your controller-controller to expose the /metrics # endpoint w/o any authn/z, please comment the following line. -- manager_auth_proxy_patch.yaml +# - manager_auth_proxy_patch.yaml @@ -38,17 +37,17 @@ patchesStrategicMerge: # crd/kustomization.yaml #- manager_webhook_patch.yaml -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'. +# [CERTMANAGER] To enable cert-controller, uncomment all sections with 'CERTMANAGER'. # Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks. # 'CERTMANAGER' needs to be enabled to use ca injection #- webhookcainjection_patch.yaml -# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix. -# Uncomment the following replacements to add the cert-manager CA injection annotations +# [CERTMANAGER] To enable cert-controller, uncomment all sections with 'CERTMANAGER' prefix. +# Uncomment the following replacements to add the cert-controller CA injection annotations #replacements: -# - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs +# - source: # Add cert-controller annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs # kind: Certificate -# group: cert-manager.io +# group: cert-controller.io # version: v1 # name: serving-cert # this name should match the one in certificate.yaml # fieldPath: .metadata.namespace # namespace of the certificate CR @@ -56,7 +55,7 @@ patchesStrategicMerge: # - select: # kind: ValidatingWebhookConfiguration # fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# - .metadata.annotations.[cert-controller.io/inject-ca-from] # options: # delimiter: '/' # index: 0 @@ -64,7 +63,7 @@ patchesStrategicMerge: # - select: # kind: MutatingWebhookConfiguration # fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# - .metadata.annotations.[cert-controller.io/inject-ca-from] # options: # delimiter: '/' # index: 0 @@ -72,14 +71,14 @@ patchesStrategicMerge: # - select: # kind: CustomResourceDefinition # fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# - .metadata.annotations.[cert-controller.io/inject-ca-from] # options: # delimiter: '/' # index: 0 # create: true # - source: # kind: Certificate -# group: cert-manager.io +# group: cert-controller.io # version: v1 # name: serving-cert # this name should match the one in certificate.yaml # fieldPath: .metadata.name @@ -87,7 +86,7 @@ patchesStrategicMerge: # - select: # kind: ValidatingWebhookConfiguration # fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# - .metadata.annotations.[cert-controller.io/inject-ca-from] # options: # delimiter: '/' # index: 1 @@ -95,7 +94,7 @@ patchesStrategicMerge: # - select: # kind: MutatingWebhookConfiguration # fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# - .metadata.annotations.[cert-controller.io/inject-ca-from] # options: # delimiter: '/' # index: 1 @@ -103,12 +102,12 @@ patchesStrategicMerge: # - select: # kind: CustomResourceDefinition # fieldPaths: -# - .metadata.annotations.[cert-manager.io/inject-ca-from] +# - .metadata.annotations.[cert-controller.io/inject-ca-from] # options: # delimiter: '/' # index: 1 # create: true -# - source: # Add cert-manager annotation to the webhook Service +# - source: # Add cert-controller annotation to the webhook Service # kind: Service # version: v1 # name: webhook-service @@ -116,7 +115,7 @@ patchesStrategicMerge: # targets: # - select: # kind: Certificate -# group: cert-manager.io +# group: cert-controller.io # version: v1 # fieldPaths: # - .spec.dnsNames.0 @@ -133,7 +132,7 @@ patchesStrategicMerge: # targets: # - select: # kind: Certificate -# group: cert-manager.io +# group: cert-controller.io # version: v1 # fieldPaths: # - .spec.dnsNames.0 diff --git a/config/default/manager_auth_proxy_patch.yaml b/config/default/manager_auth_proxy_patch.yaml index b751266..83220d7 100644 --- a/config/default/manager_auth_proxy_patch.yaml +++ b/config/default/manager_auth_proxy_patch.yaml @@ -1,9 +1,9 @@ # This patch inject a sidecar container which is a HTTP proxy for the -# controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. +# controller controller, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews. apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller-controller namespace: system spec: template: @@ -48,7 +48,7 @@ spec: requests: cpu: 5m memory: 64Mi - - name: manager + - name: controller args: - "--health-probe-bind-address=:8081" - "--metrics-bind-address=127.0.0.1:8080" diff --git a/config/default/manager_config_patch.yaml b/config/default/manager_config_patch.yaml index f6f5891..f60f8be 100644 --- a/config/default/manager_config_patch.yaml +++ b/config/default/manager_config_patch.yaml @@ -1,10 +1,10 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager + name: controller-controller namespace: system spec: template: spec: containers: - - name: manager + - name: controller diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml deleted file mode 100644 index 5c5f0b8..0000000 --- a/config/manager/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -resources: -- manager.yaml diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml deleted file mode 100644 index 99abffe..0000000 --- a/config/manager/manager.yaml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: namespace - app.kubernetes.io/instance: system - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: amazon-network-policy-controller-k8s - app.kubernetes.io/part-of: amazon-network-policy-controller-k8s - app.kubernetes.io/managed-by: kustomize - name: system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: controller-manager - namespace: system - labels: - control-plane: controller-manager - app.kubernetes.io/name: deployment - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: amazon-network-policy-controller-k8s - app.kubernetes.io/part-of: amazon-network-policy-controller-k8s - app.kubernetes.io/managed-by: kustomize -spec: - selector: - matchLabels: - control-plane: controller-manager - replicas: 1 - template: - metadata: - annotations: - kubectl.kubernetes.io/default-container: manager - labels: - control-plane: controller-manager - spec: - # TODO(user): Uncomment the following code to configure the nodeAffinity expression - # according to the platforms which are supported by your solution. - # It is considered best practice to support multiple architectures. You can - # build your manager image using the makefile target docker-buildx. - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/arch - # operator: In - # values: - # - amd64 - # - arm64 - # - ppc64le - # - s390x - # - key: kubernetes.io/os - # operator: In - # values: - # - linux - securityContext: - runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault - containers: - - command: - - /manager - args: - - --leader-elect - image: controller:latest - name: manager - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - # TODO(user): Configure the resources accordingly based on the project requirements. - # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - resources: - limits: - cpu: 500m - memory: 128Mi - requests: - cpu: 10m - memory: 64Mi - serviceAccountName: controller-manager - terminationGracePeriodSeconds: 10 diff --git a/config/prometheus/monitor.yaml b/config/prometheus/monitor.yaml index 0ef3493..746bd1c 100644 --- a/config/prometheus/monitor.yaml +++ b/config/prometheus/monitor.yaml @@ -4,14 +4,14 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: labels: - control-plane: controller-manager + control-plane: controller-controller app.kubernetes.io/name: servicemonitor - app.kubernetes.io/instance: controller-manager-metrics-monitor + app.kubernetes.io/instance: controller-controller-metrics-monitor app.kubernetes.io/component: metrics app.kubernetes.io/created-by: amazon-network-policy-controller-k8s app.kubernetes.io/part-of: amazon-network-policy-controller-k8s app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-monitor + name: controller-controller-metrics-monitor namespace: system spec: endpoints: @@ -23,4 +23,4 @@ spec: insecureSkipVerify: true selector: matchLabels: - control-plane: controller-manager + control-plane: controller-controller diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml index 46e9c5a..f6cc277 100644 --- a/config/rbac/auth_proxy_role_binding.yaml +++ b/config/rbac/auth_proxy_role_binding.yaml @@ -15,5 +15,5 @@ roleRef: name: proxy-role subjects: - kind: ServiceAccount - name: controller-manager + name: controller-controller namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml index b27cada..104b242 100644 --- a/config/rbac/auth_proxy_service.yaml +++ b/config/rbac/auth_proxy_service.yaml @@ -2,14 +2,14 @@ apiVersion: v1 kind: Service metadata: labels: - control-plane: controller-manager + control-plane: controller-controller app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service + app.kubernetes.io/instance: controller-controller-metrics-service app.kubernetes.io/component: kube-rbac-proxy app.kubernetes.io/created-by: amazon-network-policy-controller-k8s app.kubernetes.io/part-of: amazon-network-policy-controller-k8s app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-service + name: controller-controller-metrics-service namespace: system spec: ports: @@ -18,4 +18,4 @@ spec: protocol: TCP targetPort: https selector: - control-plane: controller-manager + control-plane: controller-controller diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a..25059eb 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,7 +1,7 @@ resources: # All RBAC will be applied under this service account in # the deployment namespace. You may comment out this resource -# if your manager will use a service account that exists at +# if your controller will use a service account that exists at # runtime. Be sure to update RoleBinding and ClusterRoleBinding # subjects if changing service account names. - service_account.yaml @@ -12,7 +12,7 @@ resources: # Comment the following 4 lines if you want to disable # the auth proxy (https://github.com/brancz/kube-rbac-proxy) # which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml +# - auth_proxy_service.yaml +# - auth_proxy_role.yaml +# - auth_proxy_role_binding.yaml +# - auth_proxy_client_clusterrole.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index 5608ec1..0827273 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -9,36 +9,28 @@ metadata: app.kubernetes.io/created-by: amazon-network-policy-controller-k8s app.kubernetes.io/part-of: amazon-network-policy-controller-k8s app.kubernetes.io/managed-by: kustomize - name: leader-election-role + name: controller-k8s-leader-election-role rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - amazon-network-policy-controller-k8s + verbs: + - get + - update + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch \ No newline at end of file diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index c2cfc4a..20c95ae 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -12,8 +12,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: leader-election-role + name: controller-k8s-leader-election-role subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system + - kind: ServiceAccount + name: controller-k8s \ No newline at end of file diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 966b932..5008fef 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: null - name: manager-role + name: controller-k8s rules: - apiGroups: - "" @@ -65,3 +65,21 @@ rules: - patch - update - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: controller-k8s + namespace: system +rules: +- apiGroups: + - "" + resourceNames: + - amazon-vpc-cni + resources: + - configmaps + verbs: + - get + - list + - watch diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index ace38da..503784c 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -3,17 +3,35 @@ kind: ClusterRoleBinding metadata: labels: app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: manager-rolebinding + app.kubernetes.io/instance: controller-rolebinding app.kubernetes.io/component: rbac app.kubernetes.io/created-by: amazon-network-policy-controller-k8s app.kubernetes.io/part-of: amazon-network-policy-controller-k8s app.kubernetes.io/managed-by: kustomize - name: manager-rolebinding + name: controller-k8s-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: manager-role + name: controller-k8s subjects: - kind: ServiceAccount - name: controller-manager - namespace: system + name: controller-k8s +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rolebinding + app.kubernetes.io/instance: configmap-rolebinding + app.kubernetes.io/component: rbac + app.kubernetes.io/created-by: amazon-network-policy-controller-k8s + app.kubernetes.io/part-of: amazon-network-policy-controller-k8s + app.kubernetes.io/managed-by: kustomize + name: controller-k8s-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: controller-k8s +subjects: + - kind: ServiceAccount + name: controller-k8s diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 6829c7a..34e1e45 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -3,10 +3,7 @@ kind: ServiceAccount metadata: labels: app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: controller-manager-sa + app.kubernetes.io/instance: controller app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: amazon-network-policy-controller-k8s app.kubernetes.io/part-of: amazon-network-policy-controller-k8s - app.kubernetes.io/managed-by: kustomize - name: controller-manager - namespace: system + name: controller-k8s