diff --git a/calico/templates/daemonset-calico-node.yaml b/calico/templates/daemonset-calico-node.yaml index 41036585f9..63f49d903e 100644 --- a/calico/templates/daemonset-calico-node.yaml +++ b/calico/templates/daemonset-calico-node.yaml @@ -42,7 +42,7 @@ limitations under the License. {{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }} -{{- $serviceAccountName := "calico-cni-plugin"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-cni-plugin"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/calico/templates/deployment-calico-kube-controllers.yaml b/calico/templates/deployment-calico-kube-controllers.yaml index 06eb44e40f..af7f41bef9 100644 --- a/calico/templates/deployment-calico-kube-controllers.yaml +++ b/calico/templates/deployment-calico-kube-controllers.yaml @@ -23,7 +23,7 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_kube_policy_controllers -}} {{- end -}} -{{- $serviceAccountName := "calico-kube-policy-controllers"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "calico-kube-controllers"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/elasticsearch/templates/deployment-client.yaml b/elasticsearch/templates/deployment-client.yaml index 07ed9a7ded..324412936b 100644 --- a/elasticsearch/templates/deployment-client.yaml +++ b/elasticsearch/templates/deployment-client.yaml @@ -26,7 +26,7 @@ limitations under the License. {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} -{{- $serviceAccountName := "elasticsearch-client"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "elasticsearch-client"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/elasticsearch/templates/statefulset-data.yaml b/elasticsearch/templates/statefulset-data.yaml index 0eac6ac043..4660719628 100644 --- a/elasticsearch/templates/statefulset-data.yaml +++ b/elasticsearch/templates/statefulset-data.yaml @@ -25,7 +25,7 @@ limitations under the License. {{- $mounts_elasticsearch := .Values.pod.mounts.elasticsearch.elasticsearch }} -{{- $serviceAccountName := "elasticsearch-data"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "elasticsearch-data"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/flannel/templates/daemonset-kube-flannel-ds.yaml b/flannel/templates/daemonset-kube-flannel-ds.yaml index 6038b9b93a..ae03a04173 100644 --- a/flannel/templates/daemonset-kube-flannel-ds.yaml +++ b/flannel/templates/daemonset-kube-flannel-ds.yaml @@ -23,7 +23,7 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}} {{- end -}} -{{- $serviceAccountName := "flannel"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "flannel"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- kind: ClusterRole diff --git a/fluent-logging/templates/daemonset-fluent-bit.yaml b/fluent-logging/templates/daemonset-fluent-bit.yaml index 5e4239b1bd..c7ad407e37 100644 --- a/fluent-logging/templates/daemonset-fluent-bit.yaml +++ b/fluent-logging/templates/daemonset-fluent-bit.yaml @@ -26,7 +26,7 @@ limitations under the License. {{- $mounts_fluentbit := .Values.pod.mounts.fluentbit.fluentbit }} -{{- $serviceAccountName := "fluentbit"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "fluentbit" }} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/fluent-logging/templates/deployment-fluentd.yaml b/fluent-logging/templates/deployment-fluentd.yaml index 39e94ece6f..a77297d6a2 100644 --- a/fluent-logging/templates/deployment-fluentd.yaml +++ b/fluent-logging/templates/deployment-fluentd.yaml @@ -26,7 +26,7 @@ limitations under the License. {{- $mounts_fluentd := .Values.pod.mounts.fluentd.fluentd }} -{{- $serviceAccountName := "fluentd"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "fluentd" }} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 diff --git a/nfs-provisioner/templates/clusterrole.yaml b/nfs-provisioner/templates/clusterrole.yaml deleted file mode 100644 index d5c91809f9..0000000000 --- a/nfs-provisioner/templates/clusterrole.yaml +++ /dev/null @@ -1,76 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrole }} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: nfs-provisioner-runner -rules: - - apiGroups: - - '' - resources: - - persistentvolumes - verbs: - - get - - list - - watch - - create - - delete - - apiGroups: - - '' - resources: - - persistentvolumeclaims - verbs: - - get - - list - - watch - - update - - apiGroups: - - storage.k8s.io - resources: - - storageclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - list - - watch - - create - - update - - patch - - apiGroups: - - '' - resources: - - services - - endpoints - verbs: - - get - - apiGroups: - - extensions - resources: - - podsecuritypolicies - resourceNames: - - nfs-provisioner - verbs: - - use -{{- end }} diff --git a/nfs-provisioner/templates/clusterrolebinding.yaml b/nfs-provisioner/templates/clusterrolebinding.yaml deleted file mode 100644 index a7ca493228..0000000000 --- a/nfs-provisioner/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $serviceAccountName := "nfs-provisioner"}} -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-nfs-provisioner -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: nfs-provisioner-runner - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/nfs-provisioner/templates/deployment.yaml b/nfs-provisioner/templates/deployment.yaml index 44193c2634..5d59376f84 100644 --- a/nfs-provisioner/templates/deployment.yaml +++ b/nfs-provisioner/templates/deployment.yaml @@ -23,9 +23,80 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}} {{- end -}} -{{- $serviceAccountName := "nfs-provisioner"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "nfs-provisioner"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - '' + resources: + - persistentvolumes + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - '' + resources: + - persistentvolumeclaims + verbs: + - get + - list + - watch + - update + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - list + - watch + - create + - update + - patch + - apiGroups: + - '' + resources: + - services + - endpoints + verbs: + - get + - apiGroups: + - extensions + resources: + - podsecuritypolicies + resourceNames: + - nfs-provisioner + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $serviceAccountName }} + apiGroup: rbac.authorization.k8s.io +--- kind: Deployment apiVersion: apps/v1beta1 metadata: diff --git a/nfs-provisioner/values.yaml b/nfs-provisioner/values.yaml index 51bc1adf8a..d28b66fd32 100644 --- a/nfs-provisioner/values.yaml +++ b/nfs-provisioner/values.yaml @@ -123,8 +123,6 @@ endpoints: manifests: configmap_bin: true - clusterrole: true - clusterrolebinding: true deployment: true job_image_repo_sync: true service: true diff --git a/prometheus-alertmanager/templates/clusterrolebinding.yaml b/prometheus-alertmanager/templates/clusterrolebinding.yaml index 3a31c8e0f7..ff70448b9f 100644 --- a/prometheus-alertmanager/templates/clusterrolebinding.yaml +++ b/prometheus-alertmanager/templates/clusterrolebinding.yaml @@ -16,7 +16,7 @@ limitations under the License. {{- if .Values.manifests.clusterrolebinding }} {{- $envAll := . }} -{{- $serviceAccountName := "alertmanager"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "alertmanager"}} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding diff --git a/prometheus-kube-state-metrics/templates/clusterrole.yaml b/prometheus-kube-state-metrics/templates/clusterrole.yaml deleted file mode 100644 index 288cc1abdb..0000000000 --- a/prometheus-kube-state-metrics/templates/clusterrole.yaml +++ /dev/null @@ -1,74 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrole }} -{{- $envAll := . }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: kube-state-metrics-runner -rules: - - apiGroups: - - "" - resources: - - namespaces - - nodes - - persistentvolumeclaims - - pods - - services - - resourcequotas - - replicationcontrollers - - limitranges - - endpoints - - persistentvolumes - - horizontalpodautoscalers - verbs: - - list - - watch - - apiGroups: - - extensions - resources: - - daemonsets - - deployments - - replicasets - verbs: - - list - - watch - - apiGroups: - - apps - resources: - - statefulsets - verbs: - - get - - list - - watch - - apiGroups: - - autoscaling - resources: - - horizontalpodautoscalers - verbs: - - list - - watch - - apiGroups: - - batch - resources: - - cronjobs - - jobs - verbs: - - list - - watch -{{- end }} diff --git a/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml b/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml deleted file mode 100644 index 42bab214cb..0000000000 --- a/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $envAll := . }} -{{- $serviceAccountName := "kube-state-metrics"}} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-kube-state-metrics -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ $envAll.Release.Namespace }} -roleRef: - kind: ClusterRole - name: kube-state-metrics-runner - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/prometheus-kube-state-metrics/templates/deployment.yaml b/prometheus-kube-state-metrics/templates/deployment.yaml index 1560c119f9..3168e242d4 100644 --- a/prometheus-kube-state-metrics/templates/deployment.yaml +++ b/prometheus-kube-state-metrics/templates/deployment.yaml @@ -23,9 +23,67 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_state_metrics -}} {{- end -}} -{{- $serviceAccountName := "kube-state-metrics"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "kube-state-metrics"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - namespaces + - nodes + - persistentvolumeclaims + - pods + - services + - resourcequotas + - replicationcontrollers + - limitranges + verbs: + - list + - watch + - apiGroups: + - extensions + resources: + - daemonsets + - deployments + - replicasets + verbs: + - list + - watch + - apiGroups: + - apps + resources: + - statefulsets + verbs: + - get + - list + - watch + - apiGroups: + - batch + resources: + - cronjobs + - jobs + verbs: + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ $envAll.Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ $serviceAccountName }} + apiGroup: rbac.authorization.k8s.io +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: diff --git a/prometheus-kube-state-metrics/values.yaml b/prometheus-kube-state-metrics/values.yaml index 3efa0b458d..6e739a73a7 100644 --- a/prometheus-kube-state-metrics/values.yaml +++ b/prometheus-kube-state-metrics/values.yaml @@ -141,8 +141,6 @@ network: manifests: configmap_bin: true - clusterrole: true - clusterrolebinding: true deployment: true job_image_repo_sync: true service_kube_state_metrics: true diff --git a/prometheus-node-exporter/templates/clusterrolebinding.yaml b/prometheus-node-exporter/templates/clusterrolebinding.yaml deleted file mode 100644 index 40489f2901..0000000000 --- a/prometheus-node-exporter/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $envAll := . }} -{{- $serviceAccountName := "node-exporter"}} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-node-exporter -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/prometheus-node-exporter/templates/daemonset.yaml b/prometheus-node-exporter/templates/daemonset.yaml index 5d9b6635bc..3a12b61919 100644 --- a/prometheus-node-exporter/templates/daemonset.yaml +++ b/prometheus-node-exporter/templates/daemonset.yaml @@ -23,9 +23,22 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.node_exporter -}} {{- end -}} -{{- $serviceAccountName := "node-exporter"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "node-exporter"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: run-node-exporter +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +--- apiVersion: extensions/v1beta1 kind: DaemonSet metadata: diff --git a/prometheus-node-exporter/values.yaml b/prometheus-node-exporter/values.yaml index c8fada73bb..8faeb513fb 100644 --- a/prometheus-node-exporter/values.yaml +++ b/prometheus-node-exporter/values.yaml @@ -134,7 +134,6 @@ endpoints: manifests: configmap_bin: true - clusterrolebinding: true daemonset: true job_image_repo_sync: true service: true diff --git a/prometheus/templates/clusterrole.yaml b/prometheus/templates/clusterrole.yaml deleted file mode 100644 index 6883aef35e..0000000000 --- a/prometheus/templates/clusterrole.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrole }} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: prometheus-runner -rules: - - apiGroups: - - "" - resources: - - nodes - - nodes/proxy - - services - - endpoints - - pods - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - nonResourceURLs: - - "/metrics" - verbs: - - get -{{- end }} diff --git a/prometheus/templates/clusterrolebinding.yaml b/prometheus/templates/clusterrolebinding.yaml deleted file mode 100644 index e232353f94..0000000000 --- a/prometheus/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,33 +0,0 @@ - -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding }} -{{- $serviceAccountName := "prometheus"}} ---- -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: run-prometheus -subjects: - - kind: ServiceAccount - name: {{ $serviceAccountName }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: prometheus-runner - apiGroup: rbac.authorization.k8s.io -{{- end }} diff --git a/prometheus/templates/statefulset.yaml b/prometheus/templates/statefulset.yaml index 46a14c2bb9..f3fa07ce74 100644 --- a/prometheus/templates/statefulset.yaml +++ b/prometheus/templates/statefulset.yaml @@ -26,9 +26,50 @@ limitations under the License. {{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }} {{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }} -{{- $serviceAccountName := "prometheus"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "prometheus"}} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: {{ $serviceAccountName }} +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - nonResourceURLs: + - "/metrics" + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: prometheus-runner + apiGroup: rbac.authorization.k8s.io +--- apiVersion: apps/v1beta1 kind: StatefulSet metadata: diff --git a/prometheus/values.yaml b/prometheus/values.yaml index 0746ffa6a4..8b16f3c6f9 100644 --- a/prometheus/values.yaml +++ b/prometheus/values.yaml @@ -171,8 +171,6 @@ storage: storage_class: general manifests: - clusterrole: true - clusterrolebinding: true configmap_bin: true configmap_etc: true ingress_prometheus: true diff --git a/tiller/templates/clusterrolebinding-tiller.yaml b/tiller/templates/clusterrolebinding-tiller.yaml deleted file mode 100644 index fe05590bfc..0000000000 --- a/tiller/templates/clusterrolebinding-tiller.yaml +++ /dev/null @@ -1,32 +0,0 @@ -{{/* -Copyright 2017 The Openstack-Helm Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/}} - -{{- if .Values.manifests.clusterrolebinding_tiller }} -{{- $envAll := . }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: tiller -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - name: tiller - namespace: {{ .Release.Namespace }} -{{- end }} diff --git a/tiller/templates/deployment-tiller.yaml b/tiller/templates/deployment-tiller.yaml index 0a0368f9da..b11b2bbba5 100644 --- a/tiller/templates/deployment-tiller.yaml +++ b/tiller/templates/deployment-tiller.yaml @@ -23,9 +23,22 @@ limitations under the License. {{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}} {{- end -}} -{{- $serviceAccountName := "tiller"}} +{{- $serviceAccountName := printf "%s-%s" .Release.Name "tiller" }} {{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ $serviceAccountName }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: diff --git a/tiller/values.yaml b/tiller/values.yaml index 33038d872c..3b56dc86e0 100644 --- a/tiller/values.yaml +++ b/tiller/values.yaml @@ -79,7 +79,6 @@ endpoints: node: 5000 manifests: - clusterrolebinding_tiller: true configmap_bin: true deployment_tiller: true job_image_repo_sync: true