Skip to content

Commit

Permalink
Use separate RBAC rules for master and worker
Browse files Browse the repository at this point in the history 
Signed-off-by: Carlos Eduardo Arango Gutierrez <carangog@redhat.com>
  • Loading branch information
@ArangoGutierrez
ArangoGutierrez committed Mar 11, 2021
1 parent 5aabd28 commit 0d3a15d
Show file tree
Hide file tree
Showing 23 changed files with 98 additions and 23 deletions.
2 changes: 1 addition & 1 deletion build/assets/master/0100_service_account.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfd-operator
name: nfd-master

2 changes: 1 addition & 1 deletion build/assets/master/0200_clusterrole.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nfd-operator
name: nfd-master
rules:
- apiGroups:
- ""
Expand Down
8 changes: 4 additions & 4 deletions build/assets/master/0300_clusterrole_binding.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nfd-operator
name: nfd-master
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nfd-operator
name: nfd-master
subjects:
- kind: ServiceAccount
name: nfd-operator
namespace: node-feature-discovery-operator-devel
name: nfd-master
namespace: node-feature-discovery-operator

2 changes: 1 addition & 1 deletion build/assets/master/0400_master_daemonset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ spec:
labels:
app: nfd-master
spec:
serviceAccount: nfd-operator
serviceAccount: nfd-master
nodeSelector:
node-role.kubernetes.io/master: ""
tolerations:
Expand Down
4 changes: 4 additions & 0 deletions build/assets/worker/01_worker_sa.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: nfd-worker
13 changes: 13 additions & 0 deletions build/assets/worker/02_worker_role.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: nfd-worker
rules:
- apiGroups:
- policy
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- nfd-worker
12 changes: 12 additions & 0 deletions build/assets/worker/03_worker_rolebinding.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: nfd-worker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nfd-worker
subjects:
- kind: ServiceAccount
name: nfd-worker
namespace: node-feature-discovery-operator
0 .../assets/worker/0100_worker_configmap.yaml → build/assets/worker/04_worker_cm.yaml
View file
File renamed without changes.
2 changes: 1 addition & 1 deletion .../assets/worker/0200_worker_daemonset.yaml → build/assets/worker/05_worker_ds.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ spec:
operator: Exists
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
serviceAccount: nfd-operator
serviceAccount: nfd-worker
readOnlyRootFilesystem: true
containers:
- env:
Expand Down
4 changes: 2 additions & 2 deletions config/certmanager/certificate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,15 +5,15 @@ apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: serving-cert # this name should match the one appeared in kustomizeconfig.yaml
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
spec:
# $(SERVICE_NAME) and $(SERVICE_NAMESPACE) will be substituted by kustomize
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion config/crd/patches/webhook_in_nodefeaturediscoveries.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ spec:
webhook:
clientConfig:
service:
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
name: webhook-service
path: /convert
2 changes: 1 addition & 1 deletion config/default/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# Adds namespace to all resources.
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator

# Value of this field is prepended to the
# names of all resources, e.g. a deployment named
Expand Down
2 changes: 1 addition & 1 deletion config/default/manager_auth_proxy_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
spec:
template:
spec:
Expand Down
2 changes: 1 addition & 1 deletion config/default/manager_config_patch.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
spec:
template:
spec:
Expand Down
2 changes: 1 addition & 1 deletion config/manager/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,4 @@ kind: Kustomization
images:
- name: controller
newName: quay.io/eduardoarango/node-feature-discovery-operator
newTag: sdk
newTag: v0.2.0-11-g5aabd286-dirty
2 changes: 1 addition & 1 deletion config/manager/manager.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: controller-manager
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
labels:
control-plane: controller-manager
spec:
Expand Down
2 changes: 1 addition & 1 deletion config/prometheus/monitor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-monitor
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
spec:
endpoints:
- path: /metrics
Expand Down
2 changes: 1 addition & 1 deletion config/rbac/auth_proxy_role_binding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: default
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
2 changes: 1 addition & 1 deletion config/rbac/auth_proxy_service.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ metadata:
labels:
control-plane: controller-manager
name: controller-manager-metrics-service
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
spec:
ports:
- name: https
Expand Down
46 changes: 46 additions & 0 deletions config/rbac/leader_election_role.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,49 @@ rules:
verbs:
- create
- patch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- roles
- rolebindings
- clusterroles
- clusterrolebindings
verbs:
- '*'
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- persistentvolumeclaims
- events
- configmaps
- secrets
- serviceaccounts
- nodes
verbs:
- '*'
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- replicasets
- statefulsets
verbs:
- '*'
- apiGroups:
- nfd.kubernetes.io
resources:
- '*'
verbs:
- '*'
2 changes: 1 addition & 1 deletion config/rbac/leader_election_role_binding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: default
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
2 changes: 1 addition & 1 deletion config/rbac/role_binding.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,4 @@ roleRef:
subjects:
- kind: ServiceAccount
name: default
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
4 changes: 2 additions & 2 deletions config/samples/nfd.kubernetes.io_v1_nodefeaturediscovery.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@ apiVersion: nfd.kubernetes.io/v1
kind: NodeFeatureDiscovery
metadata:
name: nfd-master-server
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
spec:
operand:
namespace: node-feature-discovery-operator-devel
namespace: node-feature-discovery-operator
image: quay.io/openshift/origin-node-feature-discovery:4.7
imagePullPolicy: Always
workerConfig:
Expand Down

0 comments on commit 0d3a15d

Please sign in to comment.