fix: add missing permission

caos · Jan 24, 2020 · fe2f3ea · fe2f3ea
1 parent 551b50b
commit fe2f3ea
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 36 deletions.
diff --git a/internal/operator/orbiter/kinds/clusters/kubernetes/artifacts.go b/internal/operator/orbiter/kinds/clusters/kubernetes/artifacts.go
@@ -147,6 +147,15 @@ func ensureArtifacts(logger logging.Logger, kubeconfig *orbiter.Secret, orb *orb
 		return nil
 	}
 
+	if err := client.ApplyServiceAccount(&core.ServiceAccount{
+		ObjectMeta: mach.ObjectMeta{
+			Name:      "boom",
+			Namespace: "caos-system",
+		},
+	}); err != nil {
+		return err
+	}
+
 	if err := client.ApplyRole(&rbac.Role{
 		ObjectMeta: mach.ObjectMeta{
 			Name:      "boom-leader-election-role",
@@ -221,6 +230,10 @@ func ensureArtifacts(logger logging.Logger, kubeconfig *orbiter.Secret, orb *orb
 			APIGroups: []string{"monitoring.coreos.com"},
 			Resources: []string{"*"},
 			Verbs:     []string{"*"},
+		}, {
+			APIGroups: []string{"getambassador.io"},
+			Resources: []string{"*"},
+			Verbs:     []string{"*"},
 		}, {
 			APIGroups: []string{"policy"},
 			Resources: []string{"*"},
@@ -254,23 +267,6 @@ func ensureArtifacts(logger logging.Logger, kubeconfig *orbiter.Secret, orb *orb
 		return err
 	}
 
-	if err := client.ApplyClusterRole(&rbac.ClusterRole{
-		ObjectMeta: mach.ObjectMeta{
-			Name: "boom-proxy-role",
-		},
-		Rules: []rbac.PolicyRule{{
-			APIGroups: []string{"authentication.k8s.io"},
-			Resources: []string{"tokenreviews"},
-			Verbs:     []string{"create"},
-		}, {
-			APIGroups: []string{"authorization.k8s.io"},
-			Resources: []string{"subjectaccessreviews"},
-			Verbs:     []string{"create"},
-		}},
-	}); err != nil {
-		return err
-	}
-
 	if err := client.ApplyRoleBinding(&rbac.RoleBinding{
 		ObjectMeta: mach.ObjectMeta{
 			Namespace: "caos-system",
@@ -283,7 +279,7 @@ func ensureArtifacts(logger logging.Logger, kubeconfig *orbiter.Secret, orb *orb
 		},
 		Subjects: []rbac.Subject{{
 			Kind:      "ServiceAccount",
-			Name:      "default",
+			Name:      "boom",
 			Namespace: "caos-system",
 		}},
 	}); err != nil {
@@ -300,24 +296,7 @@ func ensureArtifacts(logger logging.Logger, kubeconfig *orbiter.Secret, orb *orb
 		},
 		Subjects: []rbac.Subject{{
 			Kind:      "ServiceAccount",
-			Name:      "default",
-			Namespace: "caos-system",
-		}},
-	}); err != nil {
-		return err
-	}
-	if err := client.ApplyClusterRoleBinding(&rbac.ClusterRoleBinding{
-		ObjectMeta: mach.ObjectMeta{
-			Name: "boom-proxy-rolebinding",
-		},
-		RoleRef: rbac.RoleRef{
-			APIGroup: "rbac.authorization.k8s.io",
-			Kind:     "ClusterRole",
-			Name:     "boom-proxy-role",
-		},
-		Subjects: []rbac.Subject{{
-			Kind:      "ServiceAccount",
-			Name:      "default",
+			Name:      "boom",
 			Namespace: "caos-system",
 		}},
 	}); err != nil {

diff --git a/internal/operator/orbiter/kinds/clusters/kubernetes/edge/k8s/client.go b/internal/operator/orbiter/kinds/clusters/kubernetes/edge/k8s/client.go
@@ -102,6 +102,17 @@ func (c *Client) ApplySecret(rsc *core.Secret) error {
 	})
 }
 
+func (c *Client) ApplyServiceAccount(rsc *core.ServiceAccount) error {
+	resources := c.set.CoreV1().ServiceAccounts(rsc.Namespace)
+	return c.apply("serviceaccount", rsc.GetName(), func() error {
+		_, err := resources.Create(rsc)
+		return err
+	}, func() error {
+		_, err := resources.Update(rsc)
+		return err
+	})
+}
+
 func (c *Client) ApplyRole(rsc *rbac.Role) error {
 	resources := c.set.RbacV1().Roles(rsc.Namespace)
 	return c.apply("role", rsc.GetName(), func() error {