fix(rbac): various fixes

buroa · Jan 3, 2024 · e09dbd5 · e09dbd5
1 parent b5d94ab
commit e09dbd5
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 85 deletions.
diff --git a/kubernetes/apps/kube-system/system-upgrade-controller/app/helmrelease.yaml b/kubernetes/apps/kube-system/system-upgrade-controller/app/helmrelease.yaml
@@ -101,3 +101,4 @@ spec:
         enabled: false
     serviceAccount:
       name: system-upgrade
+      create: true
diff --git a/kubernetes/apps/kube-system/system-upgrade-controller/app/kustomization.yaml b/kubernetes/apps/kube-system/system-upgrade-controller/app/kustomization.yaml
@@ -4,5 +4,5 @@ kind: Kustomization
 resources:
   # renovate: datasource=github-releases depName=rancher/system-upgrade-controller
   - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.2/crd.yaml
-  - ./rbac.yaml
   - ./helmrelease.yaml
+  - ./rbac.yaml
diff --git a/kubernetes/apps/kube-system/system-upgrade-controller/app/rbac.yaml b/kubernetes/apps/kube-system/system-upgrade-controller/app/rbac.yaml
@@ -12,11 +12,6 @@ subjects:
     name: system-upgrade
     namespace: kube-system
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: system-upgrade
----
 apiVersion: talos.dev/v1alpha1
 kind: ServiceAccount
 metadata:

diff --git a/kubernetes/apps/monitoring/gatus/app/rbac.yaml b/kubernetes/apps/monitoring/gatus/app/rbac.yaml
@@ -3,7 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: gatus
-  namespace: monitoring
 rules:
   - apiGroups: [""]
     resources: ["configmaps", "secrets"]
@@ -13,7 +12,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: gatus
-  namespace: monitoring
 roleRef:
   kind: ClusterRole
   name: gatus

diff --git a/kubernetes/apps/monitoring/vector/agent/rbac.yaml b/kubernetes/apps/monitoring/vector/agent/rbac.yaml
@@ -3,27 +3,15 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: vector-agent
-  labels:
-    app.kubernetes.io/instance: vector-agent
-    app.kubernetes.io/name: vector-agent
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - namespaces
-      - nodes
-      - pods
-    verbs:
-      - list
-      - watch
+  - apiGroups: [""]
+    resources: ["namespaces", "nodes", "pods"]
+    verbs: ["list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: vector-agent
-  labels:
-    app.kubernetes.io/instance: vector-agent
-    app.kubernetes.io/name: vector-agent
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/kubernetes/apps/networking/external-dns/app/rbac.yaml b/kubernetes/apps/networking/external-dns/app/rbac.yaml
@@ -3,51 +3,21 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: external-dns
-  labels:
-    app.kubernetes.io/instance: external-dns
-    app.kubernetes.io/name: external-dns
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - nodes
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - ""
-    resources:
-      - pods
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - endpoints
-    verbs:
-      - get
-      - watch
-      - list
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - get
-      - watch
-      - list
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "watch", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: external-dns-viewer
-  labels:
-    app.kubernetes.io/instance: external-dns
-    app.kubernetes.io/name: external-dns
+  name: external-dns
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole

diff --git a/kubernetes/apps/networking/k8s-gateway/app/rbac.yaml b/kubernetes/apps/networking/k8s-gateway/app/rbac.yaml
@@ -3,26 +3,13 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: k8s-gateway
-  labels:
-    app.kubernetes.io/instance: k8s-gateway
-    app.kubernetes.io/name: k8s-gateway
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - services
-      - namespaces
-    verbs:
-      - list
-      - watch
-  - apiGroups:
-      - extensions
-      - networking.k8s.io
-    resources:
-      - ingresses
-    verbs:
-      - list
-      - watch
+  - apiGroups: [""]
+    resources: ["services", "namespaces"]
+    verbs: ["list", "watch"]
+  - apiGroups: ["extensions", "networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["list", "watch"]
   - apiGroups: ["gateway.networking.k8s.io"]
     resources: ["*"]
     verbs: ["watch", "list"]
@@ -37,9 +24,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: k8s-gateway
-  labels:
-    app.kubernetes.io/instance: k8s-gateway
-    app.kubernetes.io/name: k8s-gateway
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole