change cluster role to role

Signed-off-by: ashnamehrotra <[email protected]>
ashnamehrotra · Jan 26, 2024 · a0b9319 · a0b9319
1 parent c3c81bd
commit a0b9319
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 20 deletions.
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -1,10 +1,12 @@
+# this may not work since we need access to pods (system namespace) and CRDs (default namespace)
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: manager-rolebinding
+  namespace: system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: manager-role
 subjects:
 - kind: ServiceAccount

diff --git a/...ates/eraser-manager-role-clusterrole.yaml → ...r/templates/eraser-manager-role-role.yaml b/...ates/eraser-manager-role-clusterrole.yaml → ...r/templates/eraser-manager-role-role.yaml
@@ -1,12 +1,13 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/instance: '{{ .Release.Name }}'
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'
     app.kubernetes.io/name: '{{ template "eraser.name" . }}'
     helm.sh/chart: '{{ template "eraser.name" . }}'
   name: eraser-manager-role
+  namespace: '{{ .Release.Namespace }}'
 rules:
 - apiGroups:
   - ""

diff --git a/...nager-rolebinding-clusterrolebinding.yaml → ...aser-manager-rolebinding-rolebinding.yaml b/...nager-rolebinding-clusterrolebinding.yaml → ...aser-manager-rolebinding-rolebinding.yaml
@@ -1,15 +1,16 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: '{{ .Release.Name }}'
     app.kubernetes.io/managed-by: '{{ .Release.Service }}'
     app.kubernetes.io/name: '{{ template "eraser.name" . }}'
     helm.sh/chart: '{{ template "eraser.name" . }}'
   name: eraser-manager-rolebinding
+  namespace: '{{ .Release.Namespace }}'
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: eraser-manager-role
 subjects:
 - kind: ServiceAccount

diff --git a/manifest_staging/deploy/eraser.yaml b/manifest_staging/deploy/eraser.yaml
@@ -292,15 +292,10 @@ metadata:
   namespace: eraser-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  creationTimestamp: null
-  name: eraser-imagejob-pods-cluster-role
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: eraser-manager-role
+  namespace: eraser-system
 rules:
 - apiGroups:
   - ""
@@ -387,29 +382,36 @@ rules:
   - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: eraser-imagejob-pods-cluster-rolebinding
+  creationTimestamp: null
+  name: eraser-imagejob-pods-cluster-role
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eraser-manager-rolebinding
+  namespace: eraser-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: eraser-imagejob-pods-cluster-role
+  kind: Role
+  name: eraser-manager-role
 subjects:
 - kind: ServiceAccount
-  name: eraser-imagejob-pods
+  name: eraser-controller-manager
   namespace: eraser-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: eraser-manager-rolebinding
+  name: eraser-imagejob-pods-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: eraser-manager-role
+  name: eraser-imagejob-pods-cluster-role
 subjects:
 - kind: ServiceAccount
-  name: eraser-controller-manager
+  name: eraser-imagejob-pods
   namespace: eraser-system
 ---
 apiVersion: v1