From 6d2c1f300f5659268662390ccfdf319961388687 Mon Sep 17 00:00:00 2001 From: "Weiyanli Chen(York)" <6115189+cwyl02@users.noreply.github.com> Date: Thu, 5 Oct 2023 10:13:29 -0700 Subject: [PATCH] fix: used dedicated clusterrole for kcore hooks (#1635) * fix: use dedicated clusterrole for kcore hooks * chore: add missing kommandercores/status * chore: add patch & update for post install job --- .../post_install_kommandercore_hook.yaml | 24 +++++++++++++-- .../pre_upgrade_kommandercore_hook.yaml | 30 ++++++++++++++++++- 2 files changed, 51 insertions(+), 3 deletions(-) diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml index 7964d197f..0308741e0 100644 --- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml @@ -10,6 +10,27 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-installation + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: + - dkp.d2iq.io + resources: + - kommandercores + verbs: + - get + - list + - watch + - create + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Chart.Name }}-installation @@ -20,12 +41,11 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: {{ .Chart.Name }}-installation subjects: - kind: ServiceAccount name: {{ .Chart.Name }}-installation namespace: {{ .Release.Namespace }} - --- apiVersion: v1 kind: ConfigMap diff --git a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml index 417e66e11..6b3ba83e8 100644 --- a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml @@ -11,6 +11,34 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: + - dkp.d2iq.io + - helm.toolkit.fluxcd.io + resources: + - kommandercores + - helmreleases + verbs: + - get + - list + - watch + - apiGroups: + - dkp.d2iq.io + resources: + - kommandercores + - kommandercores/status + verbs: + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Chart.Name }}-pre-upgrade @@ -21,7 +49,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: {{ .Chart.Name }}-pre-upgrade subjects: - kind: ServiceAccount name: {{ .Chart.Name }}-pre-upgrade