RBAC: Consolidate serviceaccounts and restrict rbac

Currently, services have two serviceaccounts: one specified in the chart that cannot read anything, and one injected via helm-toolkit that can read everything. This patch set refactors the logic to: - cleanup the roles and their binding automatically when the helm chart is deleted; - remove the need to separately mount a serviceaccount with secret; - better handling of namespaces resource restriction. Co-Authored-By: portdirect <pete@port.direct> Change-Id: I47d41e0cad9b5b002f59fc9652bad2cc025538dc
2017-12-07 09:34:05 -06:00
parent 8b6d6c43cb
commit 628fd3007d
83 changed files with 311 additions and 632 deletions
--- a/nfs-provisioner/templates/job-image-repo-sync.yaml
+++ b/nfs-provisioner/templates/job-image-repo-sync.yaml
@@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "nfs-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "nfs" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}