✨ feat(k8sgpt-rbac.yaml): add new RBAC configuration for k8sgpt operator

chart/operator/templates/k8sgpt-cluster-role-binding.yaml

@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "chart.fullname" . }}-k8sgpt
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "chart.fullname" . }}-k8sgpt
+subjects:
+  - kind: ServiceAccount
+    name: "k8sgpt"
+    namespace: {{ .Release.Namespace }}

chart/operator/templates/k8sgpt-cluster-role.yaml

@@ -0,0 +1,23 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "chart.fullname" . }}-k8sgpt
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - '*'
+    resources:
+      - '*'
+    verbs:
+      - create
+      - list
+      - get
+      - watch
+      - delete
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - '*'
+    verbs:
+      - '*'

chart/operator/templates/k8sgpt-sa.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: "k8sgpt"
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: k8sgpt-operator
+    app.kubernetes.io/part-of: k8sgpt-operator
+    {{- include "chart.labels" . | nindent 4 }}
+

chart/operator/templates/manager-rbac.yaml

@@ -55,12 +55,6 @@ rules:
   - patch
   - update
   - watch
-- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - '*'
-  verbs:
-  - '*'
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

pkg/resources/k8sgpt.go

@@ -24,7 +24,6 @@
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
-	r1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -102,108 +101,6 @@
 	return &service, nil
 }
 
-// GetServiceAccount Create Service Account for K8sGPT and bind it to K8sGPT role
-func GetServiceAccount(config v1alpha1.K8sGPT) (*corev1.ServiceAccount, error) {
-	// Create service account
-	serviceAccount := corev1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "k8sgpt",
-			Namespace: config.Namespace,
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					Kind:               config.Kind,
-					Name:               config.Name,
-					UID:                config.UID,
-					APIVersion:         config.APIVersion,
-					BlockOwnerDeletion: utils.PtrBool(true),
-					Controller:         utils.PtrBool(true),
-				},
-			},
-		},
-		ImagePullSecrets: []corev1.LocalObjectReference{},
-	}
-	//Add image pull secrets to service account
-	for _, secret := range config.Spec.ImagePullSecrets {
-		serviceAccount.ImagePullSecrets = append(serviceAccount.ImagePullSecrets, corev1.LocalObjectReference{
-			Name: secret.Name,
-		})
-	}
-
-	return &serviceAccount, nil
-}
-
-// GetClusterRoleBinding Create cluster role binding for K8sGPT
-func GetClusterRoleBinding(config v1alpha1.K8sGPT) (*r1.ClusterRoleBinding, error) {
-
-	// Create cluster role binding
-	clusterRoleBinding := r1.ClusterRoleBinding{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "k8sgpt",
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					Kind:               config.Kind,
-					Name:               config.Name,
-					UID:                config.UID,
-					APIVersion:         config.APIVersion,
-					BlockOwnerDeletion: utils.PtrBool(true),
-					Controller:         utils.PtrBool(true),
-				},
-			},
-		},
-		Subjects: []r1.Subject{
-			{
-				Kind:      "ServiceAccount",
-				Name:      "k8sgpt",
-				Namespace: config.Namespace,
-			},
-		},
-		RoleRef: r1.RoleRef{
-			Kind:     "ClusterRole",
-			Name:     "k8sgpt",
-			APIGroup: "rbac.authorization.k8s.io",
-		},
-	}
-
-	return &clusterRoleBinding, nil
-}
-
-// GetClusterRole Create ClusterRole for K8sGPT with cluster read all
-func GetClusterRole(config v1alpha1.K8sGPT) (*r1.ClusterRole, error) {
-
-	// Create cluster role
-	clusterRole := r1.ClusterRole{
-		ObjectMeta: metav1.ObjectMeta{
-			Name: "k8sgpt",
-			OwnerReferences: []metav1.OwnerReference{
-				{
-					Kind:               config.Kind,
-					Name:               config.Name,
-					UID:                config.UID,
-					APIVersion:         config.APIVersion,
-					BlockOwnerDeletion: utils.PtrBool(true),
-					Controller:         utils.PtrBool(true),
-				},
-			},
-		},
-		Rules: []r1.PolicyRule{
-			{
-				APIGroups: []string{"*"},
-				Resources: []string{"*"},
-				// This is necessary for the creation of integrations
-				Verbs: []string{"create", "list", "get", "watch", "delete"},
-			},
-			// Allow creation of custom resources
-			{
-				APIGroups: []string{"apiextensions.k8s.io"},
-				Resources: []string{"*"},
-				Verbs:     []string{"*"},
-			},
-		},
-	}
-
-	return &clusterRole, nil
-}
-
 // GetDeployment Create deployment with the latest K8sGPT image
 func GetDeployment(config v1alpha1.K8sGPT, outOfClusterMode bool, c client.Client) (*appsv1.Deployment, error) {
 
@@ -433,31 +330,7 @@
 			return er
 		}
 
-		objs = append(objs, svcAcc)
-
-		clusterRole, er := GetClusterRole(config)
-		if er != nil {
-			return er
-		}
-
-		objs = append(objs, clusterRole)
-
-		clusterRoleBinding, er := GetClusterRoleBinding(config)
-		if er != nil {
-			return er
-		}
-
-		objs = append(objs, clusterRoleBinding)
-	}
-
-	svc, er := GetService(config)
-	if er != nil {
-		return er
-	}
-
-	objs = append(objs, svc)
-
-	deployment, er := GetDeployment(config, outOfClusterMode, c)
+	deployment, er := GetDeployment(config)
 	if er != nil {
 		return er
 	}
@@ -501,7 +374,7 @@
 	return nil
 }
 
 func doSync(ctx context.Context, clt client.Client, obj client.Object) error {
 	var mutateFn controllerutil.MutateFn
 	switch expect := obj.(type) {
 	case *appsv1.Deployment: