Removed extra serviceAccount from cephfs-provisioner

cephfs-provisioner may need to create new resources in the kubernetes cluster. It was granted access to some of the resources including namespaces but when https://review.opendev.org/c/starlingx/platform-armada-app/+/778746 got merged the serviceAccount was changed. I have updated the serviceAccount with access to creating new namespaces and secrets. The serviceAccount that was initially used to create namespaces and secrets is not needed anymore, so I have removed it. Closes-bug: 1921197 Change-Id: I3c683776f3ecaf9c78d1a6b5b1108e9582497dde Signed-off-by: Daniel Safta <daniel.safta@windriver.com>
2021-03-24 12:56:29 +00:00 · 2021-03-24 12:56:29 +00:00 · 1021d50142
parent 45fd0a6b2c
commit 1021d50142
2 changed files with 10 additions and 67 deletions
--- a/stx-platform-helm/stx-platform-helm/helm-charts/cephfs-provisioner/templates/rbac-secrets.yaml
+++ b/stx-platform-helm/stx-platform-helm/helm-charts/cephfs-provisioner/templates/rbac-secrets.yaml
@ -8,72 +8,6 @@

 {{- $defaults := .Values.classdefaults }}

-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ $defaults.rbacConfigName }}
-  namespace: {{ $defaults.cephFSNamespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "list", "watch", "create", "delete"]
-  - apiGroups: [""]
-    resources: ["namespaces"]
-    verbs: ["get", "create", "list", "update"]
---
-
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: {{ $defaults.rbacConfigName }}
-subjects:
-  - kind: ServiceAccount
-    name: {{ $defaults.rbacConfigName }}
-    namespace: {{ $defaults.cephFSNamespace }}
-roleRef:
-  kind: ClusterRole
-  name: {{ $defaults.rbacConfigName }}
-  apiGroup: rbac.authorization.k8s.io
---
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{ $defaults.rbacConfigName }}
-  namespace: {{ $defaults.cephFSNamespace }}
-rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["create", "get", "delete"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["namespaces"]
-    verbs: ["get", "create", "list", "update"]
---
-
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: {{ $defaults.rbacConfigName }}
-  namespace: {{ $defaults.cephFSNamespace }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: {{ $defaults.rbacConfigName }}
-subjects:
- kind: ServiceAccount
-  name: {{ $defaults.rbacConfigName }}
---
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ $defaults.rbacConfigName }}
-  namespace: {{ $defaults.cephFSNamespace }}
---
-
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
@ -96,6 +30,12 @@ rules:
    resources: ["services"]
    resourceNames: ["kube-dns","coredns"]
    verbs: ["list", "get"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "create", "list", "update"]
 ---

 kind: ClusterRoleBinding
@ -124,6 +64,10 @@ rules:
  - apiGroups: [""]
    resources: ["endpoints"]
    verbs: ["get", "list", "watch", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["namespaces"]
+    verbs: ["get", "create", "list", "update"]
+
 ---

 apiVersion: rbac.authorization.k8s.io/v1
--- a/stx-platform-helm/stx-platform-helm/helm-charts/cephfs-provisioner/values.yaml
+++ b/stx-platform-helm/stx-platform-helm/helm-charts/cephfs-provisioner/values.yaml
@ -73,7 +73,6 @@ classdefaults:
  - 192.168.204.2:6789
  provisionerConfigName: cephfs-provisioner
  provisionerName: ceph.com/cephfs
-  rbacConfigName: cephfs-provisioner-keyring

 # Configure storage classes.
 # This section should be tailored to your setup. It allows you to define multiple storage