From 91a2dfa7b0ad8a179facee99f8aa5b84f3a6cd0f Mon Sep 17 00:00:00 2001 From: York Chen Date: Mon, 25 Sep 2023 15:36:43 -0400 Subject: [PATCH] fix: use dedicated clusterrole for kcore hooks --- .../post_install_kommandercore_hook.yaml | 22 ++++++++++++-- .../pre_upgrade_kommandercore_hook.yaml | 29 ++++++++++++++++++- 2 files changed, 48 insertions(+), 3 deletions(-) diff --git a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml index 182ce8e6e6..d7c81e07af 100644 --- a/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/post_install_kommandercore_hook.yaml @@ -10,6 +10,25 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-installation + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: + - dkp.d2iq.io + resources: + - kommandercores + verbs: + - get + - list + - watch + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Chart.Name }}-installation @@ -20,12 +39,11 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: {{ .Chart.Name }}-installation subjects: - kind: ServiceAccount name: {{ .Chart.Name }}-installation namespace: {{ .Release.Namespace }} - --- apiVersion: v1 kind: ConfigMap diff --git a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml index 417e66e119..ebb9e8ceca 100644 --- a/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml +++ b/charts/kommander-operator/templates/pre_upgrade_kommandercore_hook.yaml @@ -11,6 +11,33 @@ metadata: "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded --- apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-pre-upgrade + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +rules: + - apiGroups: + - dkp.d2iq.io + - helm.toolkit.fluxcd.io + resources: + - kommandercores + - helmreleases + verbs: + - get + - list + - watch + - apiGroups: + - dkp.d2iq.io + resources: + - kommandercores + verbs: + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{ .Chart.Name }}-pre-upgrade @@ -21,7 +48,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: {{ .Chart.Name }}-pre-upgrade subjects: - kind: ServiceAccount name: {{ .Chart.Name }}-pre-upgrade