RBAC: move all rbac resources to rbac.yaml

Also have all of them collected and generated via kustomize Signed-off-by: Francesco Giudici <francesco.giudici@suse.com>
rancher · Oct 4, 2024 · 12cca50 · 12cca50
1 parent fadccc9
commit 12cca50
Show file tree

Hide file tree

Showing 6 changed files with 130 additions and 25 deletions.
diff --git a/...operator-helm/templates/cluster_role.yaml → ...emental-operator-helm/templates/rbac.yaml b/...operator-helm/templates/cluster_role.yaml → ...emental-operator-helm/templates/rbac.yaml
@@ -1,7 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: '{{ .Release.Name }}'
+  namespace: fleet-default
 rules:
 - apiGroups:
   - ""
@@ -18,14 +19,25 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - events
+  - pods
   verbs:
   - create
+  - delete
+  - get
+  - list
   - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
-  - pods
+  - pods/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
   verbs:
   - create
   - delete
@@ -37,13 +49,36 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods/log
+  - services/status
   verbs:
   - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: '{{ .Release.Name }}'
+rules:
 - apiGroups:
   - ""
   resources:
-  - pods/status
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
   verbs:
   - get
 - apiGroups:
@@ -77,15 +112,7 @@ rules:
   - delete
   - get
   - list
-  - patch
-  - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - services/status
-  verbs:
-  - get
 - apiGroups:
   - cluster.x-k8s.io
   resources:
@@ -293,3 +320,31 @@ rules:
   - delete
   - list
   - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: '{{ .Release.Name }}'
+  namespace: fleet-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ .Release.Name }}'
+  namespace: fleet-default
+subjects:
+- kind: ServiceAccount
+  name: '{{ .Release.Name }}'
+  namespace: '{{ .Release.Namespace }}'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: '{{ .Release.Name }}'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ .Release.Name }}'
+subjects:
+- kind: ServiceAccount
+  name: '{{ .Release.Name }}'
+  namespace: '{{ .Release.Namespace }}'
diff --git a/Makefile b/Makefile
@@ -266,7 +266,7 @@ build-crds: $(KUSTOMIZE)
 	$(KUSTOMIZE) build config/crd > .obs/chartfile/elemental-operator-crds-helm/templates/crds.yaml
 
 build-rbac: $(KUSTOMIZE)
-	$(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/cluster_role.yaml
+	$(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/rbac.yaml
 
 build-manifests: $(KUSTOMIZE) generate
 	$(MAKE) build-crds

diff --git a/...-helm/templates/cluster_role_binding.yaml → config/rbac/bases/cluster_role_binding.yaml b/...-helm/templates/cluster_role_binding.yaml → config/rbac/bases/cluster_role_binding.yaml
@@ -1,13 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Release.Name }}
+  name: manager-role
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Release.Name }}
+  name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: {{ .Release.Name }}
-  namespace: {{.Release.Namespace}}
+  name: manager-role
+  namespace: manager-role-namespace
 
diff --git a/config/rbac/bases/role_binding.yaml b/config/rbac/bases/role_binding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-role
+  namespace: fleet-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+  namespace: fleet-default
+subjects:
+- kind: ServiceAccount
+  name: manager-role
+  namespace: manager-role-namespace
+
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -2,11 +2,37 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - bases/role.yaml
+- bases/role_binding.yaml
+- bases/cluster_role_binding.yaml
 
-patchesJson6902: ## this is used to patch role name so we can use in helm chart template
-  - target:
-      group: rbac.authorization.k8s.io
-      version: v1
-      kind: ClusterRole
-      name: manager-role
-    path: patches/name_in_role.yaml
+patches:
+- path: patches/name_in_role.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: manager-role
+    version: v1
+- path: patches/name_in_role.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: manager-role
+    version: v1
+- path: patches/name_in_role.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: Role
+    name: manager-role
+    version: v1
+- path: patches/name_in_rolebinding.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: RoleBinding
+    name: manager-role
+    version: v1
+- path: patches/name_in_rolebinding.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: manager-role
+    version: v1
diff --git a/config/rbac/patches/name_in_rolebinding.yaml b/config/rbac/patches/name_in_rolebinding.yaml
@@ -0,0 +1,9 @@
+- op: replace
+  path: /metadata/name
+  value: "{{ .Release.Name }}"
+- op: replace
+  path: /subjects/0/name
+  value: "{{ .Release.Name }}"
+- op: replace
+  path: /subjects/0/namespace
+  value: "{{ .Release.Namespace }}"