rancher · fgiudici · Oct 7, 2024 · Oct 4, 2024 · Oct 4, 2024
@@ -1,7 +1,8 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: '{{ .Release.Name }}'
+  namespace: fleet-default
 rules:
 - apiGroups:
   - ""
@@ -18,14 +19,25 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - events
+  - pods
   verbs:
   - create
+  - delete
+  - get
+  - list
   - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:
-  - pods
+  - pods/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
   verbs:
   - create
   - delete
@@ -37,13 +49,36 @@ rules:
 - apiGroups:
   - ""
   resources:
-  - pods/log
+  - services/status
   verbs:
   - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: '{{ .Release.Name }}'
+rules:
 - apiGroups:
   - ""
   resources:
-  - pods/status
+  - events
+  verbs:
+  - create
+  - patch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
   verbs:
   - get
 - apiGroups:
@@ -77,15 +112,7 @@ rules:
   - delete
   - get
   - list
-  - patch
-  - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - services/status
-  verbs:
-  - get
 - apiGroups:
   - cluster.x-k8s.io
   resources:
@@ -293,3 +320,31 @@ rules:
   - delete
   - list
   - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: '{{ .Release.Name }}'
+  namespace: fleet-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ .Release.Name }}'
+  namespace: fleet-default
+subjects:
+- kind: ServiceAccount
+  name: '{{ .Release.Name }}'
+  namespace: '{{ .Release.Namespace }}'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: '{{ .Release.Name }}'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ .Release.Name }}'
+subjects:
+- kind: ServiceAccount
+  name: '{{ .Release.Name }}'
+  namespace: '{{ .Release.Namespace }}'
@@ -266,7 +266,7 @@ build-crds: $(KUSTOMIZE)
 	$(KUSTOMIZE) build config/crd > .obs/chartfile/elemental-operator-crds-helm/templates/crds.yaml
 
 build-rbac: $(KUSTOMIZE)
-	$(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/cluster_role.yaml
+	$(KUSTOMIZE) build config/rbac > .obs/chartfile/elemental-operator-helm/templates/rbac.yaml
 
 build-manifests: $(KUSTOMIZE) generate
 	$(MAKE) build-crds

@@ -1,13 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: {{ .Release.Name }}
+  name: manager-role
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: {{ .Release.Name }}
+  name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: {{ .Release.Name }}
-  namespace: {{.Release.Namespace}}
+  name: manager-role
+  namespace: manager-role-namespace
 
@@ -4,18 +4,6 @@ kind: ClusterRole
 metadata:
   name: manager-role
 rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - create
-  - delete
-  - get
-  - list
-  - patch
-  - update
-  - watch
 - apiGroups:
   - ""
   resources:
@@ -32,21 +20,13 @@ rules:
   - delete
   - get
   - list
-  - patch
-  - update
   - watch
 - apiGroups:
   - ""
   resources:
   - pods/log
   verbs:
   - get
-- apiGroups:
-  - ""
-  resources:
-  - pods/status
-  verbs:
-  - get
 - apiGroups:
   - ""
   resources:
@@ -78,15 +58,7 @@ rules:
   - delete
   - get
   - list
-  - patch
-  - update
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - services/status
-  verbs:
-  - get
 - apiGroups:
   - cluster.x-k8s.io
   resources:
@@ -294,3 +266,58 @@ rules:
   - delete
   - list
   - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: manager-role
+  namespace: fleet-default
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/status
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services/status
+  verbs:
+  - get
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: manager-role
+  namespace: fleet-default
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: manager-role
+  namespace: fleet-default
+subjects:
+- kind: ServiceAccount
+  name: manager-role
+  namespace: manager-role-namespace
+
@@ -2,11 +2,37 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - bases/role.yaml
+- bases/role_binding.yaml
+- bases/cluster_role_binding.yaml
 
-patchesJson6902: ## this is used to patch role name so we can use in helm chart template
-  - target:
-      group: rbac.authorization.k8s.io
-      version: v1
-      kind: ClusterRole
-      name: manager-role
-    path: patches/name_in_role.yaml
+patches:
+- path: patches/name_in_role.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRole
+    name: manager-role
+    version: v1
+- path: patches/name_in_role.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: manager-role
+    version: v1
+- path: patches/name_in_role.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: Role
+    name: manager-role
+    version: v1
+- path: patches/name_in_rolebinding.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: RoleBinding
+    name: manager-role
+    version: v1
+- path: patches/name_in_rolebinding.yaml
+  target:
+    group: rbac.authorization.k8s.io
+    kind: ClusterRoleBinding
+    name: manager-role
+    version: v1
@@ -0,0 +1,9 @@
+- op: replace
+  path: /metadata/name
+  value: "{{ .Release.Name }}"
+- op: replace
+  path: /subjects/0/name
+  value: "{{ .Release.Name }}"
+- op: replace
+  path: /subjects/0/namespace
+  value: "{{ .Release.Namespace }}"
@@ -66,11 +66,11 @@ const (
 // +kubebuilder:rbac:groups=elemental.cattle.io,resources=machineregistrations,verbs=get;watch;list
 // TODO: restrict access to resources to the required namespace only:
 //   https://github.com/rancher/elemental-operator/issues/457
-// +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=pods/status,verbs=get
-// +kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;create;update;patch;delete
-// +kubebuilder:rbac:groups="",resources=services/status,verbs=get
-// +kubebuilder:rbac:groups="",resources=configmaps,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=pods,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=pods/status,verbs=get
+// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=services,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=services/status,verbs=get
+// +kubebuilder:rbac:groups="",namespace=fleet-default,resources=configmaps,verbs=get;list;watch;create;update;patch;delete
 
 // TODO: extend SetupWithManager with "Watches" and "WithEventFilter"
 func (r *SeedImageReconciler) SetupWithManager(mgr ctrl.Manager) error {