separate SAs for controller/webhook deployment to allow for different…

… permission sets
tektoncd · Nov 2, 2020 · e3df317 · e3df317
1 parent 8d12cd6
commit e3df317
Show file tree

Hide file tree

Showing 5 changed files with 66 additions and 2 deletions.
diff --git a/config/200-role.yaml b/config/200-role.yaml
@@ -26,11 +26,27 @@ metadata:
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-triggers
+rules:
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    resourceNames: ["tekton-triggers"]
+    verbs: ["use"]
+
+---
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: tekton-triggers-admin-webhook
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
 rules:
   - apiGroups: ["policy"]
     resources: ["podsecuritypolicies"]
     resourceNames: ["tekton-triggers"]
     verbs: ["use"]
   - apiGroups: [""]
-    resources: ["secrets"]
+    resources: ["configmaps", "services", "events"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
diff --git a/config/200-serviceaccount.yaml b/config/200-serviceaccount.yaml
@@ -20,3 +20,14 @@ metadata:
   labels:
     app.kubernetes.io/instance: default
     app.kubernetes.io/part-of: tekton-triggers
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tekton-triggers-webhook
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
diff --git a/config/201-clusterrolebinding.yaml b/config/201-clusterrolebinding.yaml
@@ -27,3 +27,21 @@ roleRef:
   kind: ClusterRole
   name: tekton-triggers-admin
   apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: tekton-triggers-webhook-admin
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-webhook
+    namespace: tekton-pipelines
+roleRef:
+  kind: ClusterRole
+  name: tekton-triggers-admin
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/201-rolebinding.yaml b/config/201-rolebinding.yaml
@@ -28,3 +28,22 @@ roleRef:
   kind: Role
   name: tekton-triggers-admin
   apiGroup: rbac.authorization.k8s.io
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: tekton-triggers-webhook-admin
+  namespace: tekton-pipelines
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-triggers
+subjects:
+  - kind: ServiceAccount
+    name: tekton-triggers-webhook
+    namespace: tekton-pipelines
+roleRef:
+  kind: Role
+  name: tekton-triggers-admin-webhook
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/webhook.yaml b/config/webhook.yaml
@@ -48,7 +48,7 @@ spec:
         # version value replaced with inputs.params.versionTag in triggers/tekton/publish.yaml
         version: "devel"
     spec:
-      serviceAccountName: tekton-triggers-controller
+      serviceAccountName: tekton-triggers-webhook
       containers:
       - name: webhook
         # This is the Go import path for the binary that is containerized