diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml index 1ef3cdf..d0c97ca 100644 --- a/config/default/kustomization.yaml +++ b/config/default/kustomization.yaml @@ -1,7 +1,4 @@ -# Adds namespace to all resources. -namespace: memgraph-operator-system - -namePrefix: memgraph-k8- +namePrefix: "" resources: - ../crd diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml index a21c3a5..780d11a 100644 --- a/config/manager/manager.yaml +++ b/config/manager/manager.yaml @@ -1,23 +1,15 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: controller-manager - namespace: system + name: memgraph-kubernetes-operator annotations: email: engineering@memgraph.io labels: - control-plane: controller-manager - app.kubernetes.io/name: deployment - app.kubernetes.io/instance: controller-manager - app.kubernetes.io/component: manager - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize owner: Memgraph spec: selector: matchLabels: - control-plane: controller-manager + name: memgraph-kubernetes-operator replicas: 1 strategy: rollingUpdate: @@ -25,52 +17,17 @@ spec: type: RollingUpdate template: metadata: - annotations: - kubectl.kubernetes.io/default-container: manager labels: - control-plane: controller-manager + name: memgraph-kubernetes-operator spec: - # TODO(user): Uncomment the following code to configure the nodeAffinity expression - # according to the platforms which are supported by your solution. - # It is considered best practice to support multiple architectures. You can - # build your manager image using the makefile target docker-buildx. - # affinity: - # nodeAffinity: - # requiredDuringSchedulingIgnoredDuringExecution: - # nodeSelectorTerms: - # - matchExpressions: - # - key: kubernetes.io/arch - # operator: In - # values: - # - amd64 - # - arm64 - # - ppc64le - # - s390x - # - key: kubernetes.io/os - # operator: In - # values: - # - linux - securityContext: - runAsNonRoot: true - # TODO(user): For common cases that do not require escalating privileges - # it is recommended to ensure that all your Pods/Containers are restrictive. - # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted - # Please uncomment the following code if your project does NOT have to work on old Kubernetes - # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ). - # seccompProfile: - # type: RuntimeDefault containers: + # TODO(andi) figure these args out - args: - --leader-elect - --leader-election-id=kubernetes-operator image: memgraph/kubernetes-operator:0.0.2 - name: manager - securityContext: - readOnlyRootFilesystem: true - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" + imagePullPolicy: Always + name: memgraph-kubernetes-operator resources: limits: cpu: 500m @@ -78,5 +35,12 @@ spec: requests: cpu: 10m memory: 64Mi - serviceAccountName: controller-manager - terminationGracePeriodSeconds: 10 + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + securityContext: + runAsNonRoot: true + serviceAccountName: memgraph-kubernetes-operator diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml deleted file mode 100644 index 6bfe0a9..0000000 --- a/config/rbac/auth_proxy_client_clusterrole.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: metrics-reader - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: metrics-reader -rules: -- nonResourceURLs: - - "/metrics" - verbs: - - get diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml deleted file mode 100644 index 2ff84ee..0000000 --- a/config/rbac/auth_proxy_role.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: proxy-role - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-role -rules: -- apiGroups: - - authentication.k8s.io - resources: - - tokenreviews - verbs: - - create -- apiGroups: - - authorization.k8s.io - resources: - - subjectaccessreviews - verbs: - - create diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml deleted file mode 100644 index b7f3ab0..0000000 --- a/config/rbac/auth_proxy_role_binding.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: proxy-rolebinding - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: proxy-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: proxy-role -subjects: -- kind: ServiceAccount - name: controller-manager - namespace: system diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml deleted file mode 100644 index cdd7723..0000000 --- a/config/rbac/auth_proxy_service.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - control-plane: controller-manager - app.kubernetes.io/name: service - app.kubernetes.io/instance: controller-manager-metrics-service - app.kubernetes.io/component: kube-rbac-proxy - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: controller-manager-metrics-service - namespace: system -spec: - ports: - - name: https - port: 8443 - protocol: TCP - targetPort: https - selector: - control-plane: controller-manager diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 731832a..9221586 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -1,18 +1,6 @@ resources: -# All RBAC will be applied under this service account in -# the deployment namespace. You may comment out this resource -# if your manager will use a service account that exists at -# runtime. Be sure to update RoleBinding and ClusterRoleBinding -# subjects if changing service account names. - service_account.yaml - role.yaml - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml -# Comment the following 4 lines if you want to disable -# the auth proxy (https://github.com/brancz/kube-rbac-proxy) -# which protects your /metrics endpoint. -- auth_proxy_service.yaml -- auth_proxy_role.yaml -- auth_proxy_role_binding.yaml -- auth_proxy_client_clusterrole.yaml diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml index ddf76ba..8b7a3b8 100644 --- a/config/rbac/leader_election_role.yaml +++ b/config/rbac/leader_election_role.yaml @@ -2,14 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - labels: - app.kubernetes.io/name: role - app.kubernetes.io/instance: leader-election-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: leader-election-role + name: memgraph-leader-election-role rules: - apiGroups: - "" diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml index 55647f2..60e186e 100644 --- a/config/rbac/leader_election_role_binding.yaml +++ b/config/rbac/leader_election_role_binding.yaml @@ -2,18 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: - app.kubernetes.io/name: rolebinding - app.kubernetes.io/instance: leader-election-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: leader-election-rolebinding + name: memgraph-leader-election-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: leader-election-role + name: memgraph-leader-election-role subjects: - kind: ServiceAccount - name: controller-manager - namespace: system + name: memgraph-kubernetes-operator diff --git a/config/rbac/memgraphha_editor_role.yaml b/config/rbac/memgraphha_editor_role.yaml index e54bf20..569d528 100644 --- a/config/rbac/memgraphha_editor_role.yaml +++ b/config/rbac/memgraphha_editor_role.yaml @@ -2,13 +2,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: memgraphha-editor-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize name: memgraphha-editor-role rules: - apiGroups: diff --git a/config/rbac/memgraphha_viewer_role.yaml b/config/rbac/memgraphha_viewer_role.yaml index 769adfd..e08c8bb 100644 --- a/config/rbac/memgraphha_viewer_role.yaml +++ b/config/rbac/memgraphha_viewer_role.yaml @@ -3,12 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: - app.kubernetes.io/name: clusterrole - app.kubernetes.io/instance: memgraphha-viewer-role - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize name: memgraphha-viewer-role rules: - apiGroups: diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml index 94d9bfa..d9d364e 100644 --- a/config/rbac/role.yaml +++ b/config/rbac/role.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole +kind: Role metadata: - name: manager-role + name: memgraph-kubernetes-operator rules: ## ## Base operator rules diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml index 9eecc5e..de8740f 100644 --- a/config/rbac/role_binding.yaml +++ b/config/rbac/role_binding.yaml @@ -1,19 +1,11 @@ +kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding metadata: - labels: - app.kubernetes.io/name: clusterrolebinding - app.kubernetes.io/instance: manager-rolebinding - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: manager-role + name: memgraph-kubernetes-operator subjects: - kind: ServiceAccount - name: controller-manager - namespace: system + name: memgraph-kubernetes-operator +roleRef: + kind: ClusterRole + name: memgraph-kubernetes-operator + apiGroup: rbac.authorization.k8s.io diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml index 06eefef..ed59ce3 100644 --- a/config/rbac/service_account.yaml +++ b/config/rbac/service_account.yaml @@ -1,12 +1,4 @@ apiVersion: v1 kind: ServiceAccount metadata: - labels: - app.kubernetes.io/name: serviceaccount - app.kubernetes.io/instance: controller-manager-sa - app.kubernetes.io/component: rbac - app.kubernetes.io/created-by: kubernetes-operator - app.kubernetes.io/part-of: kubernetes-operator - app.kubernetes.io/managed-by: kustomize - name: controller-manager - namespace: system + name: memgraph-kubernetes-operator