From 633c1dfc85b6827bbbc9bb1a2efb82d7cead9a1d Mon Sep 17 00:00:00 2001
From: Andi Skrgat <andi8647@gmail.com>
Date: Thu, 11 Jul 2024 09:35:41 +0200
Subject: [PATCH] Clean namespaces, roles and manager
---
config/default/kustomization.yaml | 5 +-
config/manager/manager.yaml | 66 +++++--------------
.../rbac/auth_proxy_client_clusterrole.yaml | 16 -----
config/rbac/auth_proxy_role.yaml | 24 -------
config/rbac/auth_proxy_role_binding.yaml | 19 ------
config/rbac/auth_proxy_service.yaml | 21 ------
config/rbac/kustomization.yaml | 12 ----
config/rbac/leader_election_role.yaml | 9 +--
config/rbac/leader_election_role_binding.yaml | 13 +---
config/rbac/memgraphha_editor_role.yaml | 7 --
config/rbac/memgraphha_viewer_role.yaml | 6 --
config/rbac/role.yaml | 4 +-
config/rbac/role_binding.yaml | 22 ++-----
config/rbac/service_account.yaml | 10 +--
14 files changed, 30 insertions(+), 204 deletions(-)
delete mode 100644 config/rbac/auth_proxy_client_clusterrole.yaml
delete mode 100644 config/rbac/auth_proxy_role.yaml
delete mode 100644 config/rbac/auth_proxy_role_binding.yaml
delete mode 100644 config/rbac/auth_proxy_service.yaml
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index 1ef3cdf..d0c97ca 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -1,7 +1,4 @@
-# Adds namespace to all resources.
-namespace: memgraph-operator-system
-
-namePrefix: memgraph-k8-
+namePrefix: ""
resources:
- ../crd
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index a21c3a5..780d11a 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -1,23 +1,15 @@
apiVersion: apps/v1
kind: Deployment
metadata:
- name: controller-manager
- namespace: system
+ name: memgraph-kubernetes-operator
annotations:
email: engineering@memgraph.io
labels:
- control-plane: controller-manager
- app.kubernetes.io/name: deployment
- app.kubernetes.io/instance: controller-manager
- app.kubernetes.io/component: manager
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
owner: Memgraph
spec:
selector:
matchLabels:
- control-plane: controller-manager
+ name: memgraph-kubernetes-operator
replicas: 1
strategy:
rollingUpdate:
@@ -25,52 +17,17 @@ spec:
type: RollingUpdate
template:
metadata:
- annotations:
- kubectl.kubernetes.io/default-container: manager
labels:
- control-plane: controller-manager
+ name: memgraph-kubernetes-operator
spec:
- # TODO(user): Uncomment the following code to configure the nodeAffinity expression
- # according to the platforms which are supported by your solution.
- # It is considered best practice to support multiple architectures. You can
- # build your manager image using the makefile target docker-buildx.
- # affinity:
- # nodeAffinity:
- # requiredDuringSchedulingIgnoredDuringExecution:
- # nodeSelectorTerms:
- # - matchExpressions:
- # - key: kubernetes.io/arch
- # operator: In
- # values:
- # - amd64
- # - arm64
- # - ppc64le
- # - s390x
- # - key: kubernetes.io/os
- # operator: In
- # values:
- # - linux
- securityContext:
- runAsNonRoot: true
- # TODO(user): For common cases that do not require escalating privileges
- # it is recommended to ensure that all your Pods/Containers are restrictive.
- # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
- # Please uncomment the following code if your project does NOT have to work on old Kubernetes
- # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
- # seccompProfile:
- # type: RuntimeDefault
containers:
+ # TODO(andi) figure these args out
- args:
- --leader-elect
- --leader-election-id=kubernetes-operator
image: memgraph/kubernetes-operator:0.0.2
- name: manager
- securityContext:
- readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - "ALL"
+ imagePullPolicy: Always
+ name: memgraph-kubernetes-operator
resources:
limits:
cpu: 500m
@@ -78,5 +35,12 @@ spec:
requests:
cpu: 10m
memory: 64Mi
- serviceAccountName: controller-manager
- terminationGracePeriodSeconds: 10
+ securityContext:
+ readOnlyRootFilesystem: true
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - "ALL"
+ securityContext:
+ runAsNonRoot: true
+ serviceAccountName: memgraph-kubernetes-operator
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
deleted file mode 100644
index 6bfe0a9..0000000
--- a/config/rbac/auth_proxy_client_clusterrole.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: clusterrole
- app.kubernetes.io/instance: metrics-reader
- app.kubernetes.io/component: kube-rbac-proxy
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: metrics-reader
-rules:
-- nonResourceURLs:
- - "/metrics"
- verbs:
- - get
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
deleted file mode 100644
index 2ff84ee..0000000
--- a/config/rbac/auth_proxy_role.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- labels:
- app.kubernetes.io/name: clusterrole
- app.kubernetes.io/instance: proxy-role
- app.kubernetes.io/component: kube-rbac-proxy
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: proxy-role
-rules:
-- apiGroups:
- - authentication.k8s.io
- resources:
- - tokenreviews
- verbs:
- - create
-- apiGroups:
- - authorization.k8s.io
- resources:
- - subjectaccessreviews
- verbs:
- - create
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
deleted file mode 100644
index b7f3ab0..0000000
--- a/config/rbac/auth_proxy_role_binding.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- labels:
- app.kubernetes.io/name: clusterrolebinding
- app.kubernetes.io/instance: proxy-rolebinding
- app.kubernetes.io/component: kube-rbac-proxy
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: proxy-rolebinding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: proxy-role
-subjects:
-- kind: ServiceAccount
- name: controller-manager
- namespace: system
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
deleted file mode 100644
index cdd7723..0000000
--- a/config/rbac/auth_proxy_service.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
- labels:
- control-plane: controller-manager
- app.kubernetes.io/name: service
- app.kubernetes.io/instance: controller-manager-metrics-service
- app.kubernetes.io/component: kube-rbac-proxy
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: controller-manager-metrics-service
- namespace: system
-spec:
- ports:
- - name: https
- port: 8443
- protocol: TCP
- targetPort: https
- selector:
- control-plane: controller-manager
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index 731832a..9221586 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -1,18 +1,6 @@
resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
- service_account.yaml
- role.yaml
- role_binding.yaml
- leader_election_role.yaml
- leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml
index ddf76ba..8b7a3b8 100644
--- a/config/rbac/leader_election_role.yaml
+++ b/config/rbac/leader_election_role.yaml
@@ -2,14 +2,7 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
- labels:
- app.kubernetes.io/name: role
- app.kubernetes.io/instance: leader-election-role
- app.kubernetes.io/component: rbac
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: leader-election-role
+ name: memgraph-leader-election-role
rules:
- apiGroups:
- ""
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
index 55647f2..60e186e 100644
--- a/config/rbac/leader_election_role_binding.yaml
+++ b/config/rbac/leader_election_role_binding.yaml
@@ -2,18 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
- app.kubernetes.io/name: rolebinding
- app.kubernetes.io/instance: leader-election-rolebinding
- app.kubernetes.io/component: rbac
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: leader-election-rolebinding
+ name: memgraph-leader-election-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
- name: leader-election-role
+ name: memgraph-leader-election-role
subjects:
- kind: ServiceAccount
- name: controller-manager
- namespace: system
+ name: memgraph-kubernetes-operator
diff --git a/config/rbac/memgraphha_editor_role.yaml b/config/rbac/memgraphha_editor_role.yaml
index e54bf20..569d528 100644
--- a/config/rbac/memgraphha_editor_role.yaml
+++ b/config/rbac/memgraphha_editor_role.yaml
@@ -2,13 +2,6 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
- labels:
- app.kubernetes.io/name: clusterrole
- app.kubernetes.io/instance: memgraphha-editor-role
- app.kubernetes.io/component: rbac
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
name: memgraphha-editor-role
rules:
- apiGroups:
diff --git a/config/rbac/memgraphha_viewer_role.yaml b/config/rbac/memgraphha_viewer_role.yaml
index 769adfd..e08c8bb 100644
--- a/config/rbac/memgraphha_viewer_role.yaml
+++ b/config/rbac/memgraphha_viewer_role.yaml
@@ -3,12 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
- app.kubernetes.io/name: clusterrole
- app.kubernetes.io/instance: memgraphha-viewer-role
- app.kubernetes.io/component: rbac
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
name: memgraphha-viewer-role
rules:
- apiGroups:
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
index 94d9bfa..d9d364e 100644
--- a/config/rbac/role.yaml
+++ b/config/rbac/role.yaml
@@ -1,7 +1,7 @@
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
metadata:
- name: manager-role
+ name: memgraph-kubernetes-operator
rules:
##
## Base operator rules
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
index 9eecc5e..de8740f 100644
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@@ -1,19 +1,11 @@
+kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
metadata:
- labels:
- app.kubernetes.io/name: clusterrolebinding
- app.kubernetes.io/instance: manager-rolebinding
- app.kubernetes.io/component: rbac
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: manager-rolebinding
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: manager-role
+ name: memgraph-kubernetes-operator
subjects:
- kind: ServiceAccount
- name: controller-manager
- namespace: system
+ name: memgraph-kubernetes-operator
+roleRef:
+ kind: ClusterRole
+ name: memgraph-kubernetes-operator
+ apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
index 06eefef..ed59ce3 100644
--- a/config/rbac/service_account.yaml
+++ b/config/rbac/service_account.yaml
@@ -1,12 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- labels:
- app.kubernetes.io/name: serviceaccount
- app.kubernetes.io/instance: controller-manager-sa
- app.kubernetes.io/component: rbac
- app.kubernetes.io/created-by: kubernetes-operator
- app.kubernetes.io/part-of: kubernetes-operator
- app.kubernetes.io/managed-by: kustomize
- name: controller-manager
- namespace: system
+ name: memgraph-kubernetes-operator