Skip to content

Commit 4c6b0a6

Browse files
rasheedamirrasheedamir
committed
fix rbac
1 parent f82cf57 commit 4c6b0a6

File tree

4 files changed

+26
-20
lines changed

4 files changed

+26
-20
lines changed

external/exposecontroller/expose-controller-deployment.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ spec:
6060
volumeMounts:
6161
- mountPath: /etc/exposecontroller
6262
name: config-volume
63-
serviceAccountName: exposecontroller
63+
serviceAccountName: ext-exposecontroller
6464
volumes:
6565
- configMap:
6666
name: exposecontroller

external/exposecontroller/expose-controller-rbac.yaml

+12-9
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,17 @@
1+
# one Role gives access to services & ingresses in the same namespace as the exposecontroller is running
2+
# other Role gives access to the services in the default namespace
3+
14
apiVersion: v1
25
kind: ServiceAccount
36
metadata:
4-
name: exposecontroller
7+
name: ext-exposecontroller
58
namespace: external
69
---
710
apiVersion: rbac.authorization.k8s.io/v1beta1
811
kind: Role
912
metadata:
1013
# name + namespace + "role"
11-
name: exposecontroller-external-role
14+
name: ext-exposecontroller-external-role
1215
namespace: external
1316
rules:
1417
- apiGroups:
@@ -38,21 +41,21 @@ rules:
3841
apiVersion: rbac.authorization.k8s.io/v1beta1
3942
kind: RoleBinding
4043
metadata:
41-
name: exposecontroller-external-role-binding
44+
name: ext-exposecontroller-external-role-binding
4245
namespace: external
4346
roleRef:
4447
apiGroup: rbac.authorization.k8s.io
4548
kind: Role
46-
name: exposecontroller-external-role
49+
name: ext-exposecontroller-external-role
4750
subjects:
4851
- kind: ServiceAccount
49-
name: exposecontroller
52+
name: ext-exposecontroller
5053
namespace: external
5154
---
5255
apiVersion: rbac.authorization.k8s.io/v1beta1
5356
kind: Role
5457
metadata:
55-
name: exposecontroller-default-role
58+
name: ext-exposecontroller-default-role
5659
namespace: default
5760
rules:
5861
- apiGroups:
@@ -66,14 +69,14 @@ rules:
6669
apiVersion: rbac.authorization.k8s.io/v1beta1
6770
kind: RoleBinding
6871
metadata:
69-
name: exposecontroller-default-role-binding
72+
name: ext-exposecontroller-default-role-binding
7073
# This only grants permissions within the "default" namespace.
7174
namespace: default
7275
roleRef:
7376
apiGroup: rbac.authorization.k8s.io
7477
kind: Role
75-
name: exposecontroller-default-role
78+
name: ext-exposecontroller-default-role
7679
subjects:
7780
- kind: ServiceAccount
78-
name: exposecontroller
81+
name: ext-exposecontroller
7982
namespace: external

internal/exposecontroller/expose-controller-deployment.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ spec:
6060
volumeMounts:
6161
- mountPath: /etc/exposecontroller
6262
name: config-volume
63-
serviceAccountName: exposecontroller
63+
serviceAccountName: int-exposecontroller
6464
volumes:
6565
- configMap:
6666
name: exposecontroller

internal/exposecontroller/expose-controller-rbac.yaml

+12-9
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,17 @@
1+
# one Role gives access to services & ingresses in the same namespace as the exposecontroller is running
2+
# other Role gives access to the services in the default namespace
3+
14
apiVersion: v1
25
kind: ServiceAccount
36
metadata:
4-
name: exposecontroller
7+
name: int-exposecontroller
58
namespace: internal
69
---
710
apiVersion: rbac.authorization.k8s.io/v1beta1
811
kind: Role
912
metadata:
1013
# name + namespace + "role"
11-
name: exposecontroller-internal-role
14+
name: int-exposecontroller-internal-role
1215
namespace: internal
1316
rules:
1417
- apiGroups:
@@ -38,21 +41,21 @@ rules:
3841
apiVersion: rbac.authorization.k8s.io/v1beta1
3942
kind: RoleBinding
4043
metadata:
41-
name: exposecontroller-internal-role-binding
44+
name: int-exposecontroller-internal-role-binding
4245
namespace: internal
4346
roleRef:
4447
apiGroup: rbac.authorization.k8s.io
4548
kind: Role
46-
name: exposecontroller-internal-role
49+
name: int-exposecontroller-internal-role
4750
subjects:
4851
- kind: ServiceAccount
49-
name: exposecontroller
52+
name: int-exposecontroller
5053
namespace: internal
5154
---
5255
apiVersion: rbac.authorization.k8s.io/v1beta1
5356
kind: Role
5457
metadata:
55-
name: exposecontroller-default-role
58+
name: int-exposecontroller-default-role
5659
namespace: default
5760
rules:
5861
- apiGroups:
@@ -66,14 +69,14 @@ rules:
6669
apiVersion: rbac.authorization.k8s.io/v1beta1
6770
kind: RoleBinding
6871
metadata:
69-
name: exposecontroller-default-role-binding
72+
name: int-exposecontroller-default-role-binding
7073
# This only grants permissions within the "default" namespace.
7174
namespace: default
7275
roleRef:
7376
apiGroup: rbac.authorization.k8s.io
7477
kind: Role
75-
name: exposecontroller-default-role
78+
name: int-exposecontroller-default-role
7679
subjects:
7780
- kind: ServiceAccount
78-
name: exposecontroller
81+
name: int-exposecontroller
7982
namespace: internal

0 commit comments

Comments
 (0)