diff --git a/.obs/chartfile/elemental-operator-helm/templates/cluster_role.yaml b/.obs/chartfile/elemental-operator-helm/templates/rbac.yaml similarity index 78% rename from .obs/chartfile/elemental-operator-helm/templates/cluster_role.yaml rename to .obs/chartfile/elemental-operator-helm/templates/rbac.yaml index cfbe639d6..7d08b802e 100644 --- a/.obs/chartfile/elemental-operator-helm/templates/cluster_role.yaml +++ b/.obs/chartfile/elemental-operator-helm/templates/rbac.yaml @@ -1,7 +1,8 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: name: '{{ .Release.Name }}' + namespace: fleet-default rules: - apiGroups: - "" @@ -18,14 +19,25 @@ rules: - apiGroups: - "" resources: - - events + - pods verbs: - create + - delete + - get + - list - patch + - update + - watch - apiGroups: - "" resources: - - pods + - pods/status + verbs: + - get +- apiGroups: + - "" + resources: + - services verbs: - create - delete @@ -37,13 +49,36 @@ rules: - apiGroups: - "" resources: - - pods/log + - services/status verbs: - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: '{{ .Release.Name }}' +rules: - apiGroups: - "" resources: - - pods/status + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - pods + verbs: + - create + - delete + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods/log verbs: - get - apiGroups: @@ -77,15 +112,7 @@ rules: - delete - get - list - - patch - - update - watch -- apiGroups: - - "" - resources: - - services/status - verbs: - - get - apiGroups: - cluster.x-k8s.io resources: @@ -293,3 +320,31 @@ rules: - delete - list - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: '{{ .Release.Name }}' + namespace: fleet-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: '{{ .Release.Name }}' + namespace: fleet-default +subjects: +- kind: ServiceAccount + name: '{{ .Release.Name }}' + namespace: '{{ .Release.Namespace }}' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: '{{ .Release.Name }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: '{{ .Release.Name }}' +subjects: +- kind: ServiceAccount + name: '{{ .Release.Name }}' + namespace: '{{ .Release.Namespace }}' diff --git a/Makefile b/Makefile index a114307a5..53fb96795 100644 --- a/Makefile +++ b/Makefile @@ -266,7 +266,7 @@ build-crds: $(KUSTOMIZE) $(KUSTOMIZE) build config/crd > .obs/chartfile/elemental-operator-crds-helm/templates/crds.yaml build-rbac: $(KUSTOMIZE) - $(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/cluster_role.yaml + $(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/rbac.yaml build-manifests: $(KUSTOMIZE) generate $(MAKE) build-crds diff --git a/.obs/chartfile/elemental-operator-helm/templates/cluster_role_binding.yaml b/config/rbac/bases/cluster_role_binding.yaml similarity index 59% rename from .obs/chartfile/elemental-operator-helm/templates/cluster_role_binding.yaml rename to config/rbac/bases/cluster_role_binding.yaml index e68c7bc96..4bad5074d 100644 --- a/.obs/chartfile/elemental-operator-helm/templates/cluster_role_binding.yaml +++ b/config/rbac/bases/cluster_role_binding.yaml @@ -1,13 +1,13 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ .Release.Name }} + name: manager-role roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ .Release.Name }} + name: manager-role subjects: - kind: ServiceAccount - name: {{ .Release.Name }} - namespace: {{.Release.Namespace}} + name: manager-role + namespace: manager-role-namespace diff --git a/config/rbac/bases/role_binding.yaml b/config/rbac/bases/role_binding.yaml new file mode 100644 index 000000000..7cdcccf2c --- /dev/null +++ b/config/rbac/bases/role_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: manager-role + namespace: fleet-default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: manager-role + namespace: fleet-default +subjects: +- kind: ServiceAccount + name: manager-role + namespace: manager-role-namespace + diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 3b31cbd72..8750ab62c 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -2,11 +2,37 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - bases/role.yaml +- bases/role_binding.yaml +- bases/cluster_role_binding.yaml -patchesJson6902: ## this is used to patch role name so we can use in helm chart template - - target: - group: rbac.authorization.k8s.io - version: v1 - kind: ClusterRole - name: manager-role - path: patches/name_in_role.yaml +patches: +- path: patches/name_in_role.yaml + target: + group: rbac.authorization.k8s.io + kind: ClusterRole + name: manager-role + version: v1 +- path: patches/name_in_role.yaml + target: + group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + name: manager-role + version: v1 +- path: patches/name_in_role.yaml + target: + group: rbac.authorization.k8s.io + kind: Role + name: manager-role + version: v1 +- path: patches/name_in_rolebinding.yaml + target: + group: rbac.authorization.k8s.io + kind: RoleBinding + name: manager-role + version: v1 +- path: patches/name_in_rolebinding.yaml + target: + group: rbac.authorization.k8s.io + kind: ClusterRoleBinding + name: manager-role + version: v1 diff --git a/config/rbac/patches/name_in_rolebinding.yaml b/config/rbac/patches/name_in_rolebinding.yaml new file mode 100644 index 000000000..88c20f2ce --- /dev/null +++ b/config/rbac/patches/name_in_rolebinding.yaml @@ -0,0 +1,9 @@ +- op: replace + path: /metadata/name + value: "{{ .Release.Name }}" +- op: replace + path: /subjects/0/name + value: "{{ .Release.Name }}" +- op: replace + path: /subjects/0/namespace + value: "{{ .Release.Namespace }}" \ No newline at end of file