update service role binding to support multi namespace

wxpjimmy · Apr 24, 2020 · 8783da3 · 8783da3
1 parent 5d1acab
commit 8783da3
Show file tree

Hide file tree

Showing 47 changed files with 160 additions and 27 deletions.
diff --git a/admission-webhook/webhook/base/cluster-role-binding.yaml b/admission-webhook/webhook/base/cluster-role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cluster-role-binding
+  name: cluster-role-binding-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/admission-webhook/webhook/base/params.yaml b/admission-webhook/webhook/base/params.yaml
@@ -5,3 +5,5 @@ varReference:
   kind: MutatingWebhookConfiguration
 - path: webhooks/name
   kind: MutatingWebhookConfiguration
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/application/application/base/cluster-role-binding.yaml b/application/application/base/cluster-role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cluster-role-binding
+  name: cluster-role-binding-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/application/application/base/kustomization.yaml b/application/application/base/kustomization.yaml
@@ -25,5 +25,12 @@ vars:
     apiVersion: v1
   fieldref:
     fieldpath: data.project
+- name: namespace
+  objref:
+    kind: ConfigMap
+    name: parameters
+    apiVersion: v1
+  fieldref:
+    fieldpath: data.namespace
 configurations:
 - params.yaml
diff --git a/application/application/base/params.env b/application/application/base/params.env
@@ -1 +1,2 @@
 project=
+namespace=kubeflow
diff --git a/application/application/base/params.yaml b/application/application/base/params.yaml
@@ -1,3 +1,5 @@
 varReference:
 - path: spec/template/spec/containers/image
   kind: StatefulSet
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/argo/base/cluster-role-binding.yaml b/argo/base/cluster-role-binding.yaml
@@ -4,7 +4,7 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app: argo
-  name: argo
+  name: argo-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
@@ -18,7 +18,7 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app: argo-ui
-  name: argo-ui
+  name: argo-ui-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/argo/base/params.yaml b/argo/base/params.yaml
@@ -5,3 +5,5 @@ varReference:
   kind: Deployment
 - path: metadata/annotations/getambassador.io\/config
   kind: Service
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/common/centraldashboard/base/clusterrole-binding.yaml b/common/centraldashboard/base/clusterrole-binding.yaml
@@ -3,7 +3,7 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app: centraldashboard
-  name: centraldashboard
+  name: centraldashboard-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/common/centraldashboard/base/params.yaml b/common/centraldashboard/base/params.yaml
@@ -9,7 +9,5 @@ varReference:
   kind: Deployment
 - path: spec/template/spec/containers/0/env/2/value
   kind: Deployment
-- path: subjects/namespace
-  kind: RoleBinding
-- path: subjects/namespace
+- path: metadata/name
   kind: ClusterRoleBinding
diff --git a/common/centraldashboard/base/role-binding.yaml b/common/centraldashboard/base/role-binding.yaml
@@ -11,4 +11,3 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: centraldashboard
-  namespace: $(namespace)
diff --git a/common/spartakus/base/cluster-role-binding.yaml b/common/spartakus/base/cluster-role-binding.yaml
@@ -3,7 +3,7 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app: spartakus
-  name: spartakus
+  name: spartakus-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/common/spartakus/base/kustomization.yaml b/common/spartakus/base/kustomization.yaml
@@ -24,5 +24,12 @@ vars:
     apiVersion: v1
   fieldref:
     fieldpath: data.usageId
+- name: namespace
+  objref:
+    apiVersion: v1
+    kind: ServiceAccount
+    name: spartakus
+  fieldref:
+    fieldPath: metadata.namespace
 configurations:
 - params.yaml
diff --git a/common/spartakus/base/params.yaml b/common/spartakus/base/params.yaml
@@ -1,3 +1,5 @@
 varReference:
 - path: spec/template/spec/containers/0/args/1
   kind: Deployment
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/jupyter/jupyter-web-app/base/cluster-role-binding.yaml b/jupyter/jupyter-web-app/base/cluster-role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cluster-role-binding
+  name: cluster-role-binding-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/jupyter/jupyter-web-app/base/params.yaml b/jupyter/jupyter-web-app/base/params.yaml
@@ -6,4 +6,6 @@ varReference:
 - path: spec/template/spec/containers/0/env/2/value
   kind: Deployment
 - path: spec/template/spec/containers/0/env/3/value
-  kind: Deployment
+  kind: Deployment
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/jupyter/notebook-controller/base/cluster-role-binding.yaml b/jupyter/notebook-controller/base/cluster-role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: role-binding
+  name: role-binding-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/jupyter/notebook-controller/base/kustomization.yaml b/jupyter/notebook-controller/base/kustomization.yaml
@@ -17,8 +17,7 @@ images:
   newName: gcr.io/kubeflow-images-public/notebook-controller
   newTag: v1.0.0-gcd65ce25
 configMapGenerator:
-- envs:
-  - params.env
+- env: params.env
   name: parameters
 generatorOptions:
   disableNameSuffixHash: true
@@ -44,3 +43,12 @@ vars:
     apiVersion: v1
     kind: ConfigMap
     name: parameters
+- fieldref:
+    fieldPath: metadata.namespace
+  name: namespace
+  objref:
+    apiVersion: v1
+    kind: Service
+    name: service
+configurations:
+- params.yaml
diff --git a/jupyter/notebook-controller/base/params.env b/jupyter/notebook-controller/base/params.env
@@ -1,3 +1,3 @@
 POD_LABELS=gcp-cred-secret=user-gcp-sa,gcp-cred-secret-filename=user-gcp-sa.json
 USE_ISTIO=false
-ISTIO_GATEWAY=$(namespace)/kubeflow-gateway
+ISTIO_GATEWAY=kubeflow-gateway
diff --git a/jupyter/notebook-controller/base/params.yaml b/jupyter/notebook-controller/base/params.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/jupyter/notebook-controller/overlays/istio/params.env b/jupyter/notebook-controller/overlays/istio/params.env
@@ -1,2 +1,2 @@
 USE_ISTIO=true
-ISTIO_GATEWAY=$(namespace)/kubeflow-gateway
+ISTIO_GATEWAY=kubeflow-gateway
diff --git a/katib/katib-controller/base/katib-controller-rbac.yaml b/katib/katib-controller/base/katib-controller-rbac.yaml
@@ -76,7 +76,7 @@ metadata:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: katib-controller
+  name: katib-controller-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/katib/katib-controller/base/katib-ui-rbac.yaml b/katib/katib-controller/base/katib-ui-rbac.yaml
@@ -26,7 +26,7 @@ metadata:
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: katib-ui
+  name: katib-ui-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/katib/katib-controller/base/params.yaml b/katib/katib-controller/base/params.yaml
@@ -5,3 +5,5 @@ varReference:
   kind: Deployment
 - path: metadata/annotations/getambassador.io\/config
   kind: Service
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/pipeline/persistent-agent/base/clusterrole-binding.yaml b/pipeline/persistent-agent/base/clusterrole-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: persistenceagent
+  name: persistenceagent-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/pipeline/persistent-agent/base/kustomization.yaml b/pipeline/persistent-agent/base/kustomization.yaml
@@ -12,3 +12,13 @@ images:
 - name: gcr.io/ml-pipeline/persistenceagent
   newTag: 0.2.0
   newName: gcr.io/ml-pipeline/persistenceagent
+vars:
+- name: namespace
+  objref:
+    apiVersion: v1
+    kind: ServiceAccount
+    name: persistenceagent
+  fieldref:
+    fieldPath: metadata.namespace
+configurations:
+- params.yaml
diff --git a/pipeline/persistent-agent/base/params.yaml b/pipeline/persistent-agent/base/params.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/pipeline/pipelines-runner/base/cluster-role-binding.yaml b/pipeline/pipelines-runner/base/cluster-role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: pipeline-runner
+  name: pipeline-runner-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/pipeline/pipelines-runner/base/kustomization.yaml b/pipeline/pipelines-runner/base/kustomization.yaml
@@ -7,3 +7,13 @@ resources:
 - cluster-role-binding.yaml
 - cluster-role.yaml
 - service-account.yaml
+vars:
+- name: namespace
+  objref:
+    apiVersion: v1
+    kind: ServiceAccount
+    name: pipeline-runner
+  fieldref:
+    fieldPath: metadata.namespace
+configurations:
+- params.yaml
diff --git a/pipeline/pipelines-runner/base/params.yaml b/pipeline/pipelines-runner/base/params.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/pipeline/pipelines-viewer/base/cluster-role-binding.yaml b/pipeline/pipelines-viewer/base/cluster-role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: crd-role-binding
+  name: crd-role-binding-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/pipeline/pipelines-viewer/base/kustomization.yaml b/pipeline/pipelines-viewer/base/kustomization.yaml
@@ -14,3 +14,13 @@ images:
 - name: gcr.io/ml-pipeline/viewer-crd-controller
   newTag: 0.2.0
   newName: gcr.io/ml-pipeline/viewer-crd-controller
+vars:
+- name: namespace
+  objref:
+    apiVersion: v1
+    kind: ServiceAccount
+    name: crd-service-account
+  fieldref:
+    fieldPath: metadata.namespace
+configurations:
+- params.yaml
diff --git a/pipeline/pipelines-viewer/base/params.yaml b/pipeline/pipelines-viewer/base/params.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/pipeline/scheduledworkflow/base/kustomization.yaml b/pipeline/scheduledworkflow/base/kustomization.yaml
@@ -14,3 +14,13 @@ images:
 - name: gcr.io/ml-pipeline/scheduledworkflow
   newTag: 0.2.0
   newName: gcr.io/ml-pipeline/scheduledworkflow
+vars:
+- name: namespace
+  objref:
+    apiVersion: v1
+    kind: ServiceAccount
+    name: ml-pipeline-scheduledworkflow
+  fieldref:
+    fieldPath: metadata.namespace
+configurations:
+- params.yaml
diff --git a/pipeline/scheduledworkflow/base/params.yaml b/pipeline/scheduledworkflow/base/params.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/pipeline/scheduledworkflow/base/role-binding.yaml b/pipeline/scheduledworkflow/base/role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: ml-pipeline-scheduledworkflow
+  name: ml-pipeline-scheduledworkflow-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/profiles/base/cluster-role-binding.yaml b/profiles/base/cluster-role-binding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: cluster-role-binding
+  name: cluster-role-binding-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/profiles/base/params.yaml b/profiles/base/params.yaml
@@ -11,3 +11,5 @@ varReference:
   kind: Deployment
 - path: spec/template/spec/containers/1/args/5
   kind: Deployment
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/pytorch-job/pytorch-operator/base/cluster-role-binding.yaml b/pytorch-job/pytorch-operator/base/cluster-role-binding.yaml
@@ -3,7 +3,7 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     app: pytorch-operator
-  name: pytorch-operator
+  name: pytorch-operator-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/pytorch-job/pytorch-operator/base/kustomization.yaml b/pytorch-job/pytorch-operator/base/kustomization.yaml
@@ -7,9 +7,20 @@ resources:
 - deployment.yaml
 - service-account.yaml
 - service.yaml
+vars:
+- fieldref:
+    fieldPath: metadata.namespace
+  name: namespace
+  objref:
+    apiVersion: v1
+    kind: Service
+    name: pytorch-operator
 commonLabels:
   kustomize.component: pytorch-operator
 images:
 - name: gcr.io/kubeflow-images-public/pytorch-operator
   newName: gcr.io/kubeflow-images-public/pytorch-operator
   newTag: v1.0.0-g047cf0f
+
+configurations:
+- params.yaml
diff --git a/pytorch-job/pytorch-operator/base/params.yaml b/pytorch-job/pytorch-operator/base/params.yaml
@@ -0,0 +1,3 @@
+varReference:
+- path: metadata/name
+  kind: ClusterRoleBinding
diff --git a/spark/spark-operator/base/crb.yaml b/spark/spark-operator/base/crb.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: sparkoperator-crb
+  name: sparkoperator-crb-$(namespace)
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/spark/spark-operator/base/kustomization.yaml b/spark/spark-operator/base/kustomization.yaml
@@ -29,3 +29,15 @@ resources:
 - operator-sa.yaml
 - sparkapplications.sparkoperator.k8s.io-crd.yaml
 - scheduledsparkapplications.sparkoperator.k8s.io-crd.yaml
+
+vars:
+- fieldref:
+    fieldPath: metadata.namespace
+  name: namespace
+  objref:
+    apiVersion: v1
+    kind: ServiceAccount
+    name: operator-sa
+
+configurations:
+- params.yaml