From 515494ca986bfd7b17391fa1cba3bf18910ce753 Mon Sep 17 00:00:00 2001 From: portdirect Date: Tue, 16 Jan 2018 20:24:25 -0500 Subject: [PATCH] RBAC: Include release name in cluster roles to prevent collision This PS includes the release name in the cluster role to prevent colision if the chart is deployed multiple times in the same cluster. Change-Id: I7166e5ee25b3d4c89879393c5f84c869585a2681 --- calico/templates/daemonset-calico-node.yaml | 2 +- .../deployment-calico-kube-controllers.yaml | 2 +- .../templates/deployment-client.yaml | 2 +- elasticsearch/templates/statefulset-data.yaml | 2 +- .../templates/daemonset-kube-flannel-ds.yaml | 2 +- .../templates/daemonset-fluent-bit.yaml | 2 +- .../templates/deployment-fluentd.yaml | 2 +- nfs-provisioner/templates/clusterrole.yaml | 76 ------------------- .../templates/clusterrolebinding.yaml | 31 -------- nfs-provisioner/templates/deployment.yaml | 73 +++++++++++++++++- nfs-provisioner/values.yaml | 2 - .../templates/clusterrolebinding.yaml | 2 +- .../templates/clusterrole.yaml | 74 ------------------ .../templates/clusterrolebinding.yaml | 33 -------- .../templates/deployment.yaml | 60 ++++++++++++++- prometheus-kube-state-metrics/values.yaml | 2 - .../templates/clusterrolebinding.yaml | 33 -------- .../templates/daemonset.yaml | 15 +++- prometheus-node-exporter/values.yaml | 1 - prometheus/templates/clusterrole.yaml | 46 ----------- prometheus/templates/clusterrolebinding.yaml | 33 -------- prometheus/templates/statefulset.yaml | 43 ++++++++++- prometheus/values.yaml | 2 - .../templates/clusterrolebinding-tiller.yaml | 32 -------- tiller/templates/deployment-tiller.yaml | 15 +++- tiller/values.yaml | 1 - 26 files changed, 209 insertions(+), 379 deletions(-) delete mode 100644 nfs-provisioner/templates/clusterrole.yaml delete mode 100644 nfs-provisioner/templates/clusterrolebinding.yaml delete mode 100644 prometheus-kube-state-metrics/templates/clusterrole.yaml delete mode 100644 prometheus-kube-state-metrics/templates/clusterrolebinding.yaml delete mode 100644 prometheus-node-exporter/templates/clusterrolebinding.yaml delete mode 100644 prometheus/templates/clusterrole.yaml delete mode 100644 prometheus/templates/clusterrolebinding.yaml delete mode 100644 tiller/templates/clusterrolebinding-tiller.yaml diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml index 41036585f..63f49d903 100644 --- a/calico/templates/daemonset-calico-node.yaml +++ b/calico/templates/daemonset-calico-node.yaml @@ -42,7 +42,7 @@ limitations under the License. {{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} -{{- $serviceAccountName := "calico-cni-plugin"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml index 06eb44e40..af7f41bef 100644 --- a/calico/templates/deployment-calico-kube-controllers.yaml +++ b/calico/templates/deployment-calico-kube-controllers.yaml @@ -23,7 +23,7 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_kube_policy_controllers -}} {{- end -}} -{{- $serviceAccountName := "calico-kube-policy-controllers"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml index 07ed9a7de..324412936 100644 --- a/elasticsearch/templates/deployment-client.yaml +++ b/elasticsearch/templates/deployment-client.yaml @@ -26,7 +26,7 @@ limitations under the License. {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} -{{- $serviceAccountName := "elasticsearch-client"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "elasticsearch-client"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml index 0eac6ac04..466071962 100644 --- a/elasticsearch/templates/statefulset-data.yaml +++ b/elasticsearch/templates/statefulset-data.yaml @@ -25,7 +25,7 @@ limitations under the License. {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} -{{- $serviceAccountName := "elasticsearch-data"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "elasticsearch-data"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/flannel/templates/daemonset-kube-flannel-ds.yaml b/flannel/templates/daemonset-kube-flannel-ds.yaml index 6038b9b93..ae03a0417 100644 --- a/flannel/templates/daemonset-kube-flannel-ds.yaml +++ b/flannel/templates/daemonset-kube-flannel-ds.yaml @@ -23,7 +23,7 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}} {{- end -}} -{{- $serviceAccountName := "flannel"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "flannel"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: ClusterRole diff --git a/fluent-logging/templates/daemonset-fluent-bit.yaml b/fluent-logging/templates/daemonset-fluent-bit.yaml index 5e4239b1b..c7ad407e3 100644 --- a/fluent-logging/templates/daemonset-fluent-bit.yaml +++ b/fluent-logging/templates/daemonset-fluent-bit.yaml @@ -26,7 +26,7 @@ limitations under the License. {{- $mounts_fluentbit := .Values.pod.mounts.fluentbit.fluentbit }} -{{- $serviceAccountName := "fluentbit"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "fluentbit" }} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/fluent-logging/templates/deployment-fluentd.yaml b/fluent-logging/templates/deployment-fluentd.yaml index 39e94ece6..a77297d6a 100644 --- a/fluent-logging/templates/deployment-fluentd.yaml +++ b/fluent-logging/templates/deployment-fluentd.yaml @@ -26,7 +26,7 @@ limitations under the License. {{- $mounts_fluentd := .Values.pod.mounts.fluentd.fluentd }} -{{- $serviceAccountName := "fluentd"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "fluentd" }} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/nfs-provisioner/templates/clusterrole.yaml b/nfs-provisioner/templates/clusterrole.yaml deleted file mode 100644 index d5c91809f..000000000 --- a/nfs-provisioner/templates/clusterrole.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrole }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-provisioner-runner -rules: - - apiGroups: - - '' - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - delete - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - update - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - list - - watch - - create - - update - - patch - - apiGroups: - - '' - resources: - - services - - endpoints - verbs: - - get - - apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - nfs-provisioner - verbs: - - use -{{- end }} diff --git a/nfs-provisioner/templates/clusterrolebinding.yaml b/nfs-provisioner/templates/clusterrolebinding.yaml deleted file mode 100644 index a7ca49322..000000000 --- a/nfs-provisioner/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $serviceAccountName := "nfs-provisioner"}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-nfs-provisioner -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: nfs-provisioner-runner - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/nfs-provisioner/templates/deployment.yaml b/nfs-provisioner/templates/deployment.yaml index 44193c263..5d59376f8 100644 --- a/nfs-provisioner/templates/deployment.yaml +++ b/nfs-provisioner/templates/deployment.yaml @@ -23,9 +23,80 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}} {{- end -}} -{{- $serviceAccountName := "nfs-provisioner"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "nfs-provisioner"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - get + - apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - nfs-provisioner + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $serviceAccountName }} + apiGroup: rbac.authorization.k8s.io +--- kind: Deployment apiVersion: apps/v1beta1 metadata: diff --git a/nfs-provisioner/values.yaml b/nfs-provisioner/values.yaml index 51bc1adf8..d28b66fd3 100644 --- a/nfs-provisioner/values.yaml +++ b/nfs-provisioner/values.yaml @@ -123,8 +123,6 @@ endpoints: manifests: configmap_bin: true - clusterrole: true - clusterrolebinding: true deployment: true job_image_repo_sync: true service: true diff --git a/prometheus-alertmanager/templates/clusterrolebinding.yaml b/prometheus-alertmanager/templates/clusterrolebinding.yaml index 3a31c8e0f..ff70448b9 100644 --- a/prometheus-alertmanager/templates/clusterrolebinding.yaml +++ b/prometheus-alertmanager/templates/clusterrolebinding.yaml @@ -16,7 +16,7 @@ limitations under the License. {{- if .Values.manifests.clusterrolebinding }} {{- $envAll := . }} -{{- $serviceAccountName := "alertmanager"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "alertmanager"}} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding diff --git a/prometheus-kube-state-metrics/templates/clusterrole.yaml b/prometheus-kube-state-metrics/templates/clusterrole.yaml deleted file mode 100644 index 288cc1abd..000000000 --- a/prometheus-kube-state-metrics/templates/clusterrole.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrole }} -{{- $envAll := . }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: kube-state-metrics-runner -rules: - - apiGroups: - - "" - resources: - - namespaces - - nodes - - persistentvolumeclaims - - pods - - services - - resourcequotas - - replicationcontrollers - - limitranges - - endpoints - - persistentvolumes - - horizontalpodautoscalers - verbs: - - list - - watch - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - replicasets - verbs: - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - list - - watch - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - list - - watch -{{- end }} diff --git a/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml b/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml deleted file mode 100644 index 42bab214c..000000000 --- a/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $envAll := . }} -{{- $serviceAccountName := "kube-state-metrics"}} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-kube-state-metrics -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ $envAll.Release.Namespace }} -roleRef: - kind: ClusterRole - name: kube-state-metrics-runner - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/prometheus-kube-state-metrics/templates/deployment.yaml b/prometheus-kube-state-metrics/templates/deployment.yaml index 1560c119f..3168e242d 100644 --- a/prometheus-kube-state-metrics/templates/deployment.yaml +++ b/prometheus-kube-state-metrics/templates/deployment.yaml @@ -23,9 +23,67 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_state_metrics -}} {{- end -}} -{{- $serviceAccountName := "kube-state-metrics"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "kube-state-metrics"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - namespaces + - nodes + - persistentvolumeclaims + - pods + - services + - resourcequotas + - replicationcontrollers + - limitranges + verbs: + - list + - watch + - apiGroups: + - extensions + resources: + - daemonsets + - deployments + - replicasets + verbs: + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $serviceAccountName }} + apiGroup: rbac.authorization.k8s.io +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: diff --git a/prometheus-kube-state-metrics/values.yaml b/prometheus-kube-state-metrics/values.yaml index 3efa0b458..6e739a73a 100644 --- a/prometheus-kube-state-metrics/values.yaml +++ b/prometheus-kube-state-metrics/values.yaml @@ -141,8 +141,6 @@ network: manifests: configmap_bin: true - clusterrole: true - clusterrolebinding: true deployment: true job_image_repo_sync: true service_kube_state_metrics: true diff --git a/prometheus-node-exporter/templates/clusterrolebinding.yaml b/prometheus-node-exporter/templates/clusterrolebinding.yaml deleted file mode 100644 index 40489f290..000000000 --- a/prometheus-node-exporter/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $envAll := . }} -{{- $serviceAccountName := "node-exporter"}} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-node-exporter -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/prometheus-node-exporter/templates/daemonset.yaml b/prometheus-node-exporter/templates/daemonset.yaml index 5d9b6635b..3a12b6191 100644 --- a/prometheus-node-exporter/templates/daemonset.yaml +++ b/prometheus-node-exporter/templates/daemonset.yaml @@ -23,9 +23,22 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.node_exporter -}} {{- end -}} -{{- $serviceAccountName := "node-exporter"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "node-exporter"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: run-node-exporter +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +--- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: diff --git a/prometheus-node-exporter/values.yaml b/prometheus-node-exporter/values.yaml index c8fada73b..8faeb513f 100644 --- a/prometheus-node-exporter/values.yaml +++ b/prometheus-node-exporter/values.yaml @@ -134,7 +134,6 @@ endpoints: manifests: configmap_bin: true - clusterrolebinding: true daemonset: true job_image_repo_sync: true service: true diff --git a/prometheus/templates/clusterrole.yaml b/prometheus/templates/clusterrole.yaml deleted file mode 100644 index 6883aef35..000000000 --- a/prometheus/templates/clusterrole.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrole }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: prometheus-runner -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - services - - endpoints - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - nonResourceURLs: - - "/metrics" - verbs: - - get -{{- end }} diff --git a/prometheus/templates/clusterrolebinding.yaml b/prometheus/templates/clusterrolebinding.yaml deleted file mode 100644 index e232353f9..000000000 --- a/prometheus/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ - -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $serviceAccountName := "prometheus"}} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-prometheus -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: prometheus-runner - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index 46a14c2bb..f3fa07ce7 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -26,9 +26,50 @@ limitations under the License. {{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }} {{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }} -{{- $serviceAccountName := "prometheus"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "prometheus"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: prometheus-runner + apiGroup: rbac.authorization.k8s.io +--- apiVersion: apps/v1beta1 kind: StatefulSet metadata: diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 0746ffa6a..8b16f3c6f 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -171,8 +171,6 @@ storage: storage_class: general manifests: - clusterrole: true - clusterrolebinding: true configmap_bin: true configmap_etc: true ingress_prometheus: true diff --git a/tiller/templates/clusterrolebinding-tiller.yaml b/tiller/templates/clusterrolebinding-tiller.yaml deleted file mode 100644 index fe05590bf..000000000 --- a/tiller/templates/clusterrolebinding-tiller.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding_tiller }} -{{- $envAll := . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tiller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: tiller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/tiller/templates/deployment-tiller.yaml b/tiller/templates/deployment-tiller.yaml index 0a0368f9d..b11b2bbba 100644 --- a/tiller/templates/deployment-tiller.yaml +++ b/tiller/templates/deployment-tiller.yaml @@ -23,9 +23,22 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}} {{- end -}} -{{- $serviceAccountName := "tiller"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "tiller" }} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: diff --git a/tiller/values.yaml b/tiller/values.yaml index 33038d872..3b56dc86e 100644 --- a/tiller/values.yaml +++ b/tiller/values.yaml @@ -79,7 +79,6 @@ endpoints: node: 5000 manifests: - clusterrolebinding_tiller: true configmap_bin: true deployment_tiller: true job_image_repo_sync: true