diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml deleted file mode 100644 index 9396aa614..000000000 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cluster-version-operator - annotations: - kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core. - include.release.openshift.io/self-managed-high-availability: "true" -roleRef: - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - namespace: openshift-cluster-version - name: default diff --git a/install/0000_00_cluster-version-operator_02_service_account.yaml b/install/0000_00_cluster-version-operator_02_service_account.yaml new file mode 100644 index 000000000..96b8eee99 --- /dev/null +++ b/install/0000_00_cluster-version-operator_02_service_account.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-version-operator + namespace: openshift-cluster-version + annotations: + kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator. + include.release.openshift.io/self-managed-high-availability: "true" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: update-payload-dedicated-sa + namespace: openshift-cluster-version + annotations: + kubernetes.io/description: Dedicated Service Account for the Update Payload. + include.release.openshift.io/self-managed-high-availability: "true" diff --git a/install/0000_00_cluster-version-operator_03_1_roles.yaml b/install/0000_00_cluster-version-operator_03_1_roles.yaml new file mode 100644 index 000000000..2fb975f0b --- /dev/null +++ b/install/0000_00_cluster-version-operator_03_1_roles.yaml @@ -0,0 +1,113 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cvo-leader-election +rules: +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["get", "create", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cvo-leader-election-binding + namespace: openshift-cluster-version +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cvo-leader-election +subjects: +- kind: ServiceAccount + name: cluster-version-operator + namespace: openshift-cluster-version +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cvo-required-config-reader +rules: +- apiGroups: ["config.openshift.io"] + resources: ["featuregates", "clusteroperators", "clusterversions", "proxies", "infrastructures"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cvo-configmap-reader +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cvo-config-configmap-binding + namespace: openshift-config +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cvo-configmap-reader +subjects: +- kind: ServiceAccount + name: cluster-version-operator + namespace: openshift-cluster-version +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cvo-managed-configmap-binding + namespace: openshift-config-managed +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cvo-configmap-reader +subjects: +- kind: ServiceAccount + name: cluster-version-operator + namespace: openshift-cluster-version +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cvo-required-config-binding + annotations: + kubernetes.io/description: Grant the cluster-version operator featuregate specific permissions. + include.release.openshift.io/self-managed-high-availability: "true" +roleRef: + kind: ClusterRole + name: cvo-required-config-reader + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + namespace: openshift-cluster-version + name: cluster-version-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-version-operator + annotations: + kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core. + include.release.openshift.io/self-managed-high-availability: "true" +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + namespace: openshift-cluster-version + name: cluster-version-operator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-version-operator-scc-privileged-access +subjects: +- kind: ServiceAccount + name: update-payload-dedicated-sa + namespace: openshift-cluster-version +roleRef: + kind: ClusterRole + name: system:openshift:scc:privileged + apiGroup: rbac.authorization.k8s.io diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml index ff85c55f9..8a373dcc9 100644 --- a/install/0000_00_cluster-version-operator_03_deployment.yaml +++ b/install/0000_00_cluster-version-operator_03_deployment.yaml @@ -23,6 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false + serviceAccountName: cluster-version-operator containers: - name: cluster-version-operator image: '{{.ReleaseImage}}' diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go index ace63e725..d4439830d 100644 --- a/pkg/cvo/updatepayload.go +++ b/pkg/cvo/updatepayload.go @@ -232,6 +232,7 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri }, }, Spec: corev1.PodSpec{ + ServiceAccountName: "update-payload-dedicated-sa", ActiveDeadlineSeconds: deadline, InitContainers: []corev1.Container{ setContainerDefaults(corev1.Container{ diff --git a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml index b3f0c40d1..9c037bdd9 100644 --- a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml +++ b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml @@ -23,6 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false + serviceAccountName: cluster-version-operator containers: - name: cluster-version-operator image: 'quay.io/cvo/release:latest'