SKS-3173: Use cape-controller-manager ServiceAccount & fix elfMachine…

…Template permissions (#186)
smartxworks · Nov 13, 2024 · 95280ce · 95280ce
1 parent 831b562
commit 95280ce
Show file tree

Hide file tree

Showing 7 changed files with 20 additions and 2 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -62,6 +62,7 @@ spec:
           httpGet:
             path: /healthz
             port: healthz
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
       tolerations:
         - effect: NoSchedule

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -8,5 +8,6 @@ resources:
 # subjects if changing service account names.
 - role.yaml
 - role_binding.yaml
+- service_account.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -129,3 +129,13 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - infrastructure.cluster.x-k8s.io
+  resources:
+  - elfmachinetemplates
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
diff --git a/controllers/elfmachine_controller.go b/controllers/elfmachine_controller.go
@@ -64,6 +64,7 @@ const failedToUpsertLabelMsg = "failed to upsert label"
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=elfmachines,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=elfmachines/status,verbs=get;update;patch
 //+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=elfmachines/finalizers,verbs=update
+//+kubebuilder:rbac:groups=infrastructure.cluster.x-k8s.io,resources=elfmachinetemplates,verbs=get;list;watch;update;patch
 //+kubebuilder:rbac:groups=controlplane.cluster.x-k8s.io,resources=*,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments,verbs=get;list;watch;create;update;patch;delete
 //+kubebuilder:rbac:groups=cluster.x-k8s.io,resources=machinedeployments;machinedeployments/status,verbs=get;list;watch