From 51859ca093ffd8b743e78fa2ccdfda344f5dee28 Mon Sep 17 00:00:00 2001 From: Alec Merdler Date: Tue, 20 Apr 2021 14:21:36 -0700 Subject: [PATCH] kustomize: use separate ServiceAccount for Quay app pods (PROJQUAY-1909) The Quay app pods will use their own ServiceAccount, rather than the default one in the namespace. This allows modifying permissions using SecurityContextConstraints without affecting other pods in the namespace. Signed-off-by: Alec Merdler --- kustomize/base/kustomization.yaml | 3 +-- kustomize/base/quay.deployment.yaml | 1 + kustomize/base/quay.role.yaml | 31 ------------------------- kustomize/base/quay.rolebinding.yaml | 11 --------- kustomize/base/quay.serviceaccount.yaml | 4 ++++ pkg/kustomize/kustomize_test.go | 4 +--- 6 files changed, 7 insertions(+), 47 deletions(-) delete mode 100644 kustomize/base/quay.role.yaml delete mode 100644 kustomize/base/quay.rolebinding.yaml create mode 100644 kustomize/base/quay.serviceaccount.yaml diff --git a/kustomize/base/kustomization.yaml b/kustomize/base/kustomization.yaml index 8a2c2c53b..c6af77e5d 100644 --- a/kustomize/base/kustomization.yaml +++ b/kustomize/base/kustomization.yaml @@ -4,8 +4,7 @@ kind: Kustomization commonLabels: app: quay resources: - - ./quay.role.yaml - - ./quay.rolebinding.yaml + - ./quay.serviceaccount.yaml - ./quay.deployment.yaml - ./quay.service.yaml - ./upgrade.deployment.yaml diff --git a/kustomize/base/quay.deployment.yaml b/kustomize/base/quay.deployment.yaml index 3709863d3..55f035997 100644 --- a/kustomize/base/quay.deployment.yaml +++ b/kustomize/base/quay.deployment.yaml @@ -14,6 +14,7 @@ spec: labels: quay-component: quay-app spec: + serviceAccountName: quay-app volumes: - name: configvolume secret: diff --git a/kustomize/base/quay.role.yaml b/kustomize/base/quay.role.yaml deleted file mode 100644 index ef0bd6614..000000000 --- a/kustomize/base/quay.role.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: quay-serviceaccount -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - put - - patch - - update - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - apiGroups: - - extensions - - apps - resources: - - deployments - verbs: - - get - - list - - patch - - update - - watch diff --git a/kustomize/base/quay.rolebinding.yaml b/kustomize/base/quay.rolebinding.yaml deleted file mode 100644 index 6c51d2be3..000000000 --- a/kustomize/base/quay.rolebinding.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: quay-secret-writer -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: quay-serviceaccount -subjects: -- kind: ServiceAccount - name: default diff --git a/kustomize/base/quay.serviceaccount.yaml b/kustomize/base/quay.serviceaccount.yaml new file mode 100644 index 000000000..b48278931 --- /dev/null +++ b/kustomize/base/quay.serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: quay-app diff --git a/pkg/kustomize/kustomize_test.go b/pkg/kustomize/kustomize_test.go index 87e31368a..100aa4531 100644 --- a/pkg/kustomize/kustomize_test.go +++ b/pkg/kustomize/kustomize_test.go @@ -11,7 +11,6 @@ import ( appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" - rbac "k8s.io/api/rbac/v1beta1" "k8s.io/apimachinery/pkg/api/meta" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "sigs.k8s.io/controller-runtime/pkg/client" @@ -205,8 +204,6 @@ func TestFlattenSecret(t *testing.T) { var quayComponents = map[string][]client.Object{ "base": { - &rbac.Role{ObjectMeta: metav1.ObjectMeta{Name: "quay-serviceaccount"}}, - &rbac.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "quay-secret-writer"}}, &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "quay-app"}}, &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "quay-app-upgrade"}}, &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "quay-config-editor"}}, @@ -216,6 +213,7 @@ var quayComponents = map[string][]client.Object{ &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "cluster-service-ca"}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "quay-config-editor-credentials"}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "quay-registry-managed-secret-keys"}}, + &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "quay-app"}}, }, "clair": { &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "clair-config-secret"}},