From 1b581d6f513c62e8af53eed3666ef803614dfeab Mon Sep 17 00:00:00 2001 From: Stefan Prodan Date: Tue, 26 Jan 2021 00:46:07 +0200 Subject: [PATCH] Add dedicated service accounts per controller Signed-off-by: Stefan Prodan --- manifests/bases/helm-controller/account.yaml | 4 ++ .../bases/helm-controller/kustomization.yaml | 1 + manifests/bases/helm-controller/patch.yaml | 3 ++ .../image-automation-controller/account.yaml | 4 ++ .../kustomization.yaml | 1 + .../image-automation-controller/patch.yaml | 3 ++ .../image-reflector-controller/account.yaml | 4 ++ .../kustomization.yaml | 1 + .../image-reflector-controller/patch.yaml | 3 ++ .../bases/kustomize-controller/account.yaml | 4 ++ .../kustomize-controller/kustomization.yaml | 1 + .../bases/kustomize-controller/patch.yaml | 3 ++ .../notification-controller/account.yaml | 4 ++ .../kustomization.yaml | 8 ++++ .../bases/notification-controller/patch.yaml | 3 ++ .../bases/source-controller/account.yaml | 4 ++ .../source-controller/kustomization.yaml | 1 + manifests/bases/source-controller/patch.yaml | 3 ++ manifests/rbac/{role.yaml => controller.yaml} | 43 +++++++++++++++---- manifests/rbac/kustomization.yaml | 4 +- .../{cluster-role.yaml => reconciler.yaml} | 5 ++- 21 files changed, 95 insertions(+), 12 deletions(-) create mode 100644 manifests/bases/helm-controller/account.yaml create mode 100644 manifests/bases/image-automation-controller/account.yaml create mode 100644 manifests/bases/image-reflector-controller/account.yaml create mode 100644 manifests/bases/kustomize-controller/account.yaml create mode 100644 manifests/bases/notification-controller/account.yaml create mode 100644 manifests/bases/notification-controller/patch.yaml create mode 100644 manifests/bases/source-controller/account.yaml rename manifests/rbac/{role.yaml => controller.yaml} (59%) rename manifests/rbac/{cluster-role.yaml => reconciler.yaml} (73%) diff --git a/manifests/bases/helm-controller/account.yaml b/manifests/bases/helm-controller/account.yaml new file mode 100644 index 00000000..976c5dcb --- /dev/null +++ b/manifests/bases/helm-controller/account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: helm-controller diff --git a/manifests/bases/helm-controller/kustomization.yaml b/manifests/bases/helm-controller/kustomization.yaml index f65ffd0f..60a5b4a1 100644 --- a/manifests/bases/helm-controller/kustomization.yaml +++ b/manifests/bases/helm-controller/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - https://github.com/fluxcd/helm-controller/archive/v0.6.0.zip//helm-controller-0.6.0/config/crd - https://github.com/fluxcd/helm-controller/archive/v0.6.0.zip//helm-controller-0.6.0/config/manager +- account.yaml patchesJson6902: - target: group: apps diff --git a/manifests/bases/helm-controller/patch.yaml b/manifests/bases/helm-controller/patch.yaml index e5ee6192..59ea939b 100644 --- a/manifests/bases/helm-controller/patch.yaml +++ b/manifests/bases/helm-controller/patch.yaml @@ -1,3 +1,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --events-addr=http://notification-controller/ +- op: add + path: /spec/template/spec/serviceAccountName + value: helm-controller diff --git a/manifests/bases/image-automation-controller/account.yaml b/manifests/bases/image-automation-controller/account.yaml new file mode 100644 index 00000000..3a70877f --- /dev/null +++ b/manifests/bases/image-automation-controller/account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: image-automation-controller diff --git a/manifests/bases/image-automation-controller/kustomization.yaml b/manifests/bases/image-automation-controller/kustomization.yaml index 12803d42..a04677e0 100644 --- a/manifests/bases/image-automation-controller/kustomization.yaml +++ b/manifests/bases/image-automation-controller/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - https://github.com/fluxcd/image-automation-controller/archive/v0.4.0.zip//image-automation-controller-0.4.0/config/crd - https://github.com/fluxcd/image-automation-controller/archive/v0.4.0.zip//image-automation-controller-0.4.0/config/manager +- account.yaml patchesJson6902: - target: group: apps diff --git a/manifests/bases/image-automation-controller/patch.yaml b/manifests/bases/image-automation-controller/patch.yaml index e5ee6192..4015f0f8 100644 --- a/manifests/bases/image-automation-controller/patch.yaml +++ b/manifests/bases/image-automation-controller/patch.yaml @@ -1,3 +1,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --events-addr=http://notification-controller/ +- op: add + path: /spec/template/spec/serviceAccountName + value: image-automation-controller diff --git a/manifests/bases/image-reflector-controller/account.yaml b/manifests/bases/image-reflector-controller/account.yaml new file mode 100644 index 00000000..ce154341 --- /dev/null +++ b/manifests/bases/image-reflector-controller/account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: image-reflector-controller diff --git a/manifests/bases/image-reflector-controller/kustomization.yaml b/manifests/bases/image-reflector-controller/kustomization.yaml index 9c1f49f1..3b5195bd 100644 --- a/manifests/bases/image-reflector-controller/kustomization.yaml +++ b/manifests/bases/image-reflector-controller/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - https://github.com/fluxcd/image-reflector-controller/archive/v0.4.1.zip//image-reflector-controller-0.4.1/config/crd - https://github.com/fluxcd/image-reflector-controller/archive/v0.4.1.zip//image-reflector-controller-0.4.1/config/manager +- account.yaml patchesJson6902: - target: group: apps diff --git a/manifests/bases/image-reflector-controller/patch.yaml b/manifests/bases/image-reflector-controller/patch.yaml index e5ee6192..39814a23 100644 --- a/manifests/bases/image-reflector-controller/patch.yaml +++ b/manifests/bases/image-reflector-controller/patch.yaml @@ -1,3 +1,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --events-addr=http://notification-controller/ +- op: add + path: /spec/template/spec/serviceAccountName + value: image-reflector-controller diff --git a/manifests/bases/kustomize-controller/account.yaml b/manifests/bases/kustomize-controller/account.yaml new file mode 100644 index 00000000..e3436a5f --- /dev/null +++ b/manifests/bases/kustomize-controller/account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kustomize-controller diff --git a/manifests/bases/kustomize-controller/kustomization.yaml b/manifests/bases/kustomize-controller/kustomization.yaml index 964c0c80..0e52ee52 100644 --- a/manifests/bases/kustomize-controller/kustomization.yaml +++ b/manifests/bases/kustomize-controller/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - https://github.com/fluxcd/kustomize-controller/archive/v0.7.0.zip//kustomize-controller-0.7.0/config/crd - https://github.com/fluxcd/kustomize-controller/archive/v0.7.0.zip//kustomize-controller-0.7.0/config/manager +- account.yaml patchesJson6902: - target: group: apps diff --git a/manifests/bases/kustomize-controller/patch.yaml b/manifests/bases/kustomize-controller/patch.yaml index e5ee6192..380cdfbd 100644 --- a/manifests/bases/kustomize-controller/patch.yaml +++ b/manifests/bases/kustomize-controller/patch.yaml @@ -1,3 +1,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --events-addr=http://notification-controller/ +- op: add + path: /spec/template/spec/serviceAccountName + value: kustomize-controller diff --git a/manifests/bases/notification-controller/account.yaml b/manifests/bases/notification-controller/account.yaml new file mode 100644 index 00000000..2f5074ef --- /dev/null +++ b/manifests/bases/notification-controller/account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: notification-controller diff --git a/manifests/bases/notification-controller/kustomization.yaml b/manifests/bases/notification-controller/kustomization.yaml index 83d112b4..ccc1141f 100644 --- a/manifests/bases/notification-controller/kustomization.yaml +++ b/manifests/bases/notification-controller/kustomization.yaml @@ -3,3 +3,11 @@ kind: Kustomization resources: - https://github.com/fluxcd/notification-controller/archive/v0.7.0.zip//notification-controller-0.7.0/config/crd - https://github.com/fluxcd/notification-controller/archive/v0.7.0.zip//notification-controller-0.7.0/config/manager +- account.yaml +patchesJson6902: + - target: + group: apps + version: v1 + kind: Deployment + name: notification-controller + path: patch.yaml diff --git a/manifests/bases/notification-controller/patch.yaml b/manifests/bases/notification-controller/patch.yaml new file mode 100644 index 00000000..9c36ccdd --- /dev/null +++ b/manifests/bases/notification-controller/patch.yaml @@ -0,0 +1,3 @@ +- op: add + path: /spec/template/spec/serviceAccountName + value: notification-controller diff --git a/manifests/bases/source-controller/account.yaml b/manifests/bases/source-controller/account.yaml new file mode 100644 index 00000000..fecca6ed --- /dev/null +++ b/manifests/bases/source-controller/account.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: source-controller diff --git a/manifests/bases/source-controller/kustomization.yaml b/manifests/bases/source-controller/kustomization.yaml index 325c61cf..9fa0cc9f 100644 --- a/manifests/bases/source-controller/kustomization.yaml +++ b/manifests/bases/source-controller/kustomization.yaml @@ -3,6 +3,7 @@ kind: Kustomization resources: - https://github.com/fluxcd/source-controller/archive/v0.7.0.zip//source-controller-0.7.0/config/crd - https://github.com/fluxcd/source-controller/archive/v0.7.0.zip//source-controller-0.7.0/config/manager +- account.yaml patchesJson6902: - target: group: apps diff --git a/manifests/bases/source-controller/patch.yaml b/manifests/bases/source-controller/patch.yaml index e5ee6192..15c1d28e 100644 --- a/manifests/bases/source-controller/patch.yaml +++ b/manifests/bases/source-controller/patch.yaml @@ -1,3 +1,6 @@ - op: add path: /spec/template/spec/containers/0/args/0 value: --events-addr=http://notification-controller/ +- op: add + path: /spec/template/spec/serviceAccountName + value: source-controller diff --git a/manifests/rbac/role.yaml b/manifests/rbac/controller.yaml similarity index 59% rename from manifests/rbac/role.yaml rename to manifests/rbac/controller.yaml index 2b074552..932e5b11 100644 --- a/manifests/rbac/role.yaml +++ b/manifests/rbac/controller.yaml @@ -1,5 +1,5 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: Role +kind: ClusterRole metadata: name: crd-controller rules: @@ -15,12 +15,17 @@ rules: - apiGroups: ['notification.toolkit.fluxcd.io'] resources: ['*'] verbs: ['*'] +- apiGroups: ['image.toolkit.fluxcd.io'] + resources: ['*'] + verbs: ['*'] - apiGroups: - "" resources: - - configmaps - - configmaps/status - verbs: ['*'] + - secrets + verbs: + - get + - list + - watch - apiGroups: - "" resources: @@ -28,6 +33,19 @@ rules: verbs: - create - patch +- apiGroups: + - "" + resources: + - configmaps + - configmaps/status + verbs: + - get + - list + - watch + - create + - update + - patch + - delete - apiGroups: - "coordination.k8s.io" resources: @@ -42,14 +60,23 @@ rules: - delete --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding +kind: ClusterRoleBinding metadata: name: crd-controller roleRef: apiGroup: rbac.authorization.k8s.io - kind: Role + kind: ClusterRole name: crd-controller subjects: - kind: ServiceAccount - name: default - namespace: system + name: kustomize-controller + - kind: ServiceAccount + name: helm-controller + - kind: ServiceAccount + name: source-controller + - kind: ServiceAccount + name: notification-controller + - kind: ServiceAccount + name: image-reflector-controller + - kind: ServiceAccount + name: image-automation-controller diff --git a/manifests/rbac/kustomization.yaml b/manifests/rbac/kustomization.yaml index 3036fad9..6a1d4a69 100644 --- a/manifests/rbac/kustomization.yaml +++ b/manifests/rbac/kustomization.yaml @@ -1,5 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - role.yaml - - cluster-role.yaml + - controller.yaml + - reconciler.yaml diff --git a/manifests/rbac/cluster-role.yaml b/manifests/rbac/reconciler.yaml similarity index 73% rename from manifests/rbac/cluster-role.yaml rename to manifests/rbac/reconciler.yaml index e54dea57..7313d271 100644 --- a/manifests/rbac/cluster-role.yaml +++ b/manifests/rbac/reconciler.yaml @@ -8,5 +8,6 @@ roleRef: name: cluster-admin subjects: - kind: ServiceAccount - name: default - namespace: system + name: kustomize-controller + - kind: ServiceAccount + name: helm-controller