From 9a8923105b853897af5b95c46f22729ef7f51cf3 Mon Sep 17 00:00:00 2001 From: gabemontero Date: Fri, 30 Oct 2020 16:34:27 -0400 Subject: [PATCH] separate SAs for controller/webhook deployment to allow for different permission sets --- config/200-role.yaml | 16 ++++++++++++++++ config/200-serviceaccount.yaml | 11 +++++++++++ config/201-clusterrolebinding.yaml | 18 ++++++++++++++++++ config/201-rolebinding.yaml | 19 +++++++++++++++++++ config/webhook.yaml | 2 +- 5 files changed, 65 insertions(+), 1 deletion(-) diff --git a/config/200-role.yaml b/config/200-role.yaml index 5a7051a07..cf16b85f5 100644 --- a/config/200-role.yaml +++ b/config/200-role.yaml @@ -26,6 +26,22 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-triggers +rules: + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + resourceNames: ["tekton-triggers"] + verbs: ["use"] + +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tekton-triggers-admin-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers rules: - apiGroups: ["policy"] resources: ["podsecuritypolicies"] diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml index c8a01c2c2..dc742103a 100644 --- a/config/200-serviceaccount.yaml +++ b/config/200-serviceaccount.yaml @@ -20,3 +20,14 @@ metadata: labels: app.kubernetes.io/instance: default app.kubernetes.io/part-of: tekton-triggers + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tekton-triggers-webhook + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml index ad3049ea8..94c5c320e 100644 --- a/config/201-clusterrolebinding.yaml +++ b/config/201-clusterrolebinding.yaml @@ -27,3 +27,21 @@ roleRef: kind: ClusterRole name: tekton-triggers-admin apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: tekton-triggers-webhook-admin + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers +subjects: + - kind: ServiceAccount + name: tekton-triggers-webhook + namespace: tekton-pipelines +roleRef: + kind: ClusterRole + name: tekton-triggers-admin + apiGroup: rbac.authorization.k8s.io diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml index 00d3faebb..350fb4fff 100644 --- a/config/201-rolebinding.yaml +++ b/config/201-rolebinding.yaml @@ -28,3 +28,22 @@ roleRef: kind: Role name: tekton-triggers-admin apiGroup: rbac.authorization.k8s.io + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: tekton-triggers-webhook-admin + namespace: tekton-pipelines + labels: + app.kubernetes.io/instance: default + app.kubernetes.io/part-of: tekton-triggers +subjects: + - kind: ServiceAccount + name: tekton-triggers-webhook + namespace: tekton-pipelines +roleRef: + kind: Role + name: tekton-triggers-admin-webhook + apiGroup: rbac.authorization.k8s.io diff --git a/config/webhook.yaml b/config/webhook.yaml index a76d457a1..a5b5c7893 100644 --- a/config/webhook.yaml +++ b/config/webhook.yaml @@ -48,7 +48,7 @@ spec: # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml version: "devel" spec: - serviceAccountName: tekton-triggers-controller + serviceAccountName: tekton-triggers-webhook containers: - name: webhook # This is the Go import path for the binary that is containerized