RBAC for console backend to request openshift-config-managed configmaps

openshift · Jan 8, 2020 · 40ffc70 · 40ffc70
1 parent 9ff5192
commit 40ffc70
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 1 deletion.
diff --git a/manifests/03-rbac-role-ns-openshift-config-managed.yaml b/manifests/03-rbac-role-ns-openshift-config-managed.yaml
@@ -35,3 +35,16 @@ rules:
   - console-public
   verbs:
   - get
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: console-configmap-reader
+  namespace: openshift-config-managed
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
diff --git a/manifests/04-rbac-rolebinding.yaml b/manifests/04-rbac-rolebinding.yaml
@@ -80,4 +80,17 @@ subjects:
   - kind: ServiceAccount
     name: console-operator
     namespace: openshift-console-operator
-
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: console-configmap-reader
+  namespace: openshift-config-managed
+roleRef:
+  kind: Role
+  name: console-configmap-reader
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: console
+    namespace: openshift-console
diff --git a/manifests/06-sa.yaml b/manifests/06-sa.yaml
@@ -3,3 +3,9 @@ kind: ServiceAccount
 metadata:
   name: console-operator
   namespace: openshift-console-operator
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: console
+  namespace: openshift-console
diff --git a/pkg/console/subresource/deployment/deployment.go b/pkg/console/subresource/deployment/deployment.go
@@ -106,6 +106,7 @@ func DefaultDeployment(operatorConfig *operatorv1.Console, cm *corev1.ConfigMap,
 					Annotations: annotations,
 				},
 				Spec: corev1.PodSpec{
+					ServiceAccountName: "console",
 					// we want to deploy on master nodes
 					NodeSelector: map[string]string{
 						// empty string is correct