Merge pull request #519 from cwrau/feat/use-real-serviceaccount

⚠️ feat(rbac): use real ServiceAccount instead of default
kubernetes-sigs · Jun 24, 2024 · 628476c · 628476c
2 parents d2d1dad + a4db00b
commit 628476c
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 4 deletions.
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -15,6 +15,8 @@ spec:
  labels:
  control-plane: controller-manager
  spec:
+ serviceAccountName: manager
+ automountServiceAccountToken: true
  containers:
  - command:
  - /manager

diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -3,3 +3,4 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- service_account.yaml
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
  name: leader-election-role
 subjects:
 - kind: ServiceAccount
- name: default
+ name: manager
  namespace: system
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
  name: manager-role
 subjects:
 - kind: ServiceAccount
- name: default
+ name: manager
  namespace: system
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: manager
+ namespace: system
diff --git a/hack/charts/cluster-api-operator/templates/deployment.yaml b/hack/charts/cluster-api-operator/templates/deployment.yaml
@@ -47,6 +47,8 @@ spec:
  {{- toYaml . | nindent 8 }}
  {{- end }}
  spec:
+ serviceAccountName: capi-operator-manager
+ automountServiceAccountToken: true
  {{- with .Values.securityContext }}
  securityContext:
  {{- toYaml . | nindent 8 }}

diff --git a/test/e2e/resources/full-chart-install.yaml b/test/e2e/resources/full-chart-install.yaml
@@ -1,5 +1,14 @@
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ clusterctl.cluster.x-k8s.io/core: capi-operator
+ name: capi-operator-manager
+ namespace: 'default'
+---
+# Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -17702,7 +17711,7 @@ roleRef:
  name: capi-operator-manager-role
 subjects:
 - kind: ServiceAccount
- name: default
+ name: capi-operator-manager
  namespace: 'default'
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
@@ -17767,7 +17776,7 @@ roleRef:
  name: capi-operator-leader-election-role
 subjects:
 - kind: ServiceAccount
- name: default
+ name: capi-operator-manager
  namespace: 'default'
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
@@ -17818,6 +17827,8 @@ spec:
  control-plane: controller-manager
  clusterctl.cluster.x-k8s.io/core: capi-operator
  spec:
+ serviceAccountName: capi-operator-manager
+ automountServiceAccountToken: true
  containers:
  - args:
  - --v=2