From 36b74df9902492cf3a3874fbe63437bcc13f80ce Mon Sep 17 00:00:00 2001 From: Dieter Ladenhauf Date: Wed, 21 Apr 2021 12:57:31 +0200 Subject: [PATCH] fix: Remove cluster admin ClusterRoleBinding and ServiceAccount This commit removes the `ClusterRoleBinding` and `ServiceAccount` from the helm chart. The cluster admin access is not needed by the locust service, since it just executes locust without any need to access any resources within the kubernetes cluster. fixes #23 Signed-off-by: Dieter Ladenhauf --- helm/templates/_helpers.tpl | 10 ---------- helm/templates/deployment.yaml | 2 +- helm/templates/serviceaccount.yaml | 30 ------------------------------ helm/values.yaml | 6 +----- 4 files changed, 2 insertions(+), 46 deletions(-) delete mode 100644 helm/templates/serviceaccount.yaml diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl index 2967d68..2970e31 100644 --- a/helm/templates/_helpers.tpl +++ b/helm/templates/_helpers.tpl @@ -51,13 +51,3 @@ app.kubernetes.io/name: {{ include "keptn-service.name" . }} app.kubernetes.io/instance: {{ .Release.Name }} {{- end }} -{{/* -Create the name of the service account to use -*/}} -{{- define "keptn-service.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "keptn-service.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index a8a7e40..76a8c77 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -23,7 +23,7 @@ spec: imagePullSecrets: {{- toYaml . | nindent 8 }} {{- end }} - serviceAccountName: {{ include "keptn-service.serviceAccountName" . }} + serviceAccountName: {{ .Values.keptnservice.serviceAccountName }} securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: diff --git a/helm/templates/serviceaccount.yaml b/helm/templates/serviceaccount.yaml deleted file mode 100644 index cff7450..0000000 --- a/helm/templates/serviceaccount.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "keptn-service.serviceAccountName" . }} - labels: - {{- include "keptn-service.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: keptn-{{ .Release.Namespace }}-keptn-service-cluster-admin - labels: - {{- include "keptn-service.labels" . | nindent 4 }} - {{- with .Values.serviceAccount.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -subjects: - - kind: ServiceAccount - name: {{ include "keptn-service.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io diff --git a/helm/values.yaml b/helm/values.yaml index 07e1545..04e07a8 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -5,6 +5,7 @@ keptnservice: tag: "dev" # Container Tag service: enabled: true # Creates a Kubernetes Service for the locust-service + serviceAccountName: default distributor: stageFilter: "" # Sets the stage this helm service belongs to @@ -25,11 +26,6 @@ remoteControlPlane: imagePullSecrets: [] # Secrets to use for container registry credentials -serviceAccount: - create: true # Enables the service account creation - annotations: {} # Annotations to add to the service account - name: "" # The name of the service account to use. - podAnnotations: {} # Annotations to add to the created pods podSecurityContext: {} # Set the pod security context (e.g. fsGroups)