From a0b9319070b5f67d1d1ba843ea17b4f50a3901f5 Mon Sep 17 00:00:00 2001
From: ashnamehrotra <ashnamehrotra@gmail.com>
Date: Thu, 25 Jan 2024 23:36:53 -0800
Subject: [PATCH] change cluster role to role

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>
---
 config/rbac/role_binding.yaml                 |  6 ++--
 ...ole.yaml => eraser-manager-role-role.yaml} |  3 +-
 ...aser-manager-rolebinding-rolebinding.yaml} |  5 +--
 manifest_staging/deploy/eraser.yaml           | 32 ++++++++++---------
 4 files changed, 26 insertions(+), 20 deletions(-)
 rename manifest_staging/charts/eraser/templates/{eraser-manager-role-clusterrole.yaml => eraser-manager-role-role.yaml} (96%)
 rename manifest_staging/charts/eraser/templates/{eraser-manager-rolebinding-clusterrolebinding.yaml => eraser-manager-rolebinding-rolebinding.yaml} (87%)

diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
index 2070ede446..11038eee54 100644
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@@ -1,10 +1,12 @@
+# this may not work since we need access to pods (system namespace) and CRDs (default namespace)
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: manager-rolebinding
+  namespace: system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: manager-role
 subjects:
 - kind: ServiceAccount
diff --git a/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml b/manifest_staging/charts/eraser/templates/eraser-manager-role-role.yaml
similarity index 96%
rename from manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml
rename to manifest_staging/charts/eraser/templates/eraser-manager-role-role.yaml
index 892b07ffce..18f50966a1 100644
--- a/manifest_staging/charts/eraser/templates/eraser-manager-role-clusterrole.yaml
+++ b/manifest_staging/charts/eraser/templates/eraser-manager-role-role.yaml
@@ -1,5 +1,5 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   labels:
     app.kubernetes.io/instance: '{{ .Release.Name }}'
@@ -7,6 +7,7 @@ metadata:
     app.kubernetes.io/name: '{{ template "eraser.name" . }}'
     helm.sh/chart: '{{ template "eraser.name" . }}'
   name: eraser-manager-role
+  namespace: '{{ .Release.Namespace }}'
 rules:
 - apiGroups:
   - ""
diff --git a/manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-clusterrolebinding.yaml b/manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml
similarity index 87%
rename from manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-clusterrolebinding.yaml
rename to manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml
index 5eeec2745a..94262d3948 100644
--- a/manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-clusterrolebinding.yaml
+++ b/manifest_staging/charts/eraser/templates/eraser-manager-rolebinding-rolebinding.yaml
@@ -1,5 +1,5 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   labels:
     app.kubernetes.io/instance: '{{ .Release.Name }}'
@@ -7,9 +7,10 @@ metadata:
     app.kubernetes.io/name: '{{ template "eraser.name" . }}'
     helm.sh/chart: '{{ template "eraser.name" . }}'
   name: eraser-manager-rolebinding
+  namespace: '{{ .Release.Namespace }}'
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
+  kind: Role
   name: eraser-manager-role
 subjects:
 - kind: ServiceAccount
diff --git a/manifest_staging/deploy/eraser.yaml b/manifest_staging/deploy/eraser.yaml
index a8cfff1f61..8878e0e895 100644
--- a/manifest_staging/deploy/eraser.yaml
+++ b/manifest_staging/deploy/eraser.yaml
@@ -292,15 +292,10 @@ metadata:
   namespace: eraser-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  creationTimestamp: null
-  name: eraser-imagejob-pods-cluster-role
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: eraser-manager-role
+  namespace: eraser-system
 rules:
 - apiGroups:
   - ""
@@ -387,29 +382,36 @@ rules:
   - update
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: ClusterRole
 metadata:
-  name: eraser-imagejob-pods-cluster-rolebinding
+  creationTimestamp: null
+  name: eraser-imagejob-pods-cluster-role
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: eraser-manager-rolebinding
+  namespace: eraser-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: eraser-imagejob-pods-cluster-role
+  kind: Role
+  name: eraser-manager-role
 subjects:
 - kind: ServiceAccount
-  name: eraser-imagejob-pods
+  name: eraser-controller-manager
   namespace: eraser-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: eraser-manager-rolebinding
+  name: eraser-imagejob-pods-cluster-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: eraser-manager-role
+  name: eraser-imagejob-pods-cluster-role
 subjects:
 - kind: ServiceAccount
-  name: eraser-controller-manager
+  name: eraser-imagejob-pods
   namespace: eraser-system
 ---
 apiVersion: v1