From 8ccff0e606a36784de90d596bdf0b5be45bb751d Mon Sep 17 00:00:00 2001 From: RamLavi Date: Mon, 9 Sep 2024 10:02:13 +0300 Subject: [PATCH] rbac: Move to use private ServiceAccount (#435) Currently kubemacpool pods are using the default SA. Therefore extra permissions are being granted to the default SA. It would be better if they will use a dedicated SA. Signed-off-by: Ram Lavi --- config/default/manager/manager.yaml | 8 ++++++++ config/default/rbac/rbac_role_binding.yaml | 2 +- config/release/kubemacpool.yaml | 10 +++++++++- config/test/kubemacpool.yaml | 10 +++++++++- 4 files changed, 27 insertions(+), 3 deletions(-) diff --git a/config/default/manager/manager.yaml b/config/default/manager/manager.yaml index ba24b676d..6bd30363e 100644 --- a/config/default/manager/manager.yaml +++ b/config/default/manager/manager.yaml @@ -1,4 +1,10 @@ apiVersion: v1 +kind: ServiceAccount +metadata: + name: sa + namespace: system +--- +apiVersion: v1 kind: Namespace metadata: labels: @@ -45,6 +51,7 @@ spec: annotations: description: KubeMacPool manages MAC allocation to Pods and VMs spec: + serviceAccountName: sa tolerations: - key: node.kubernetes.io/unreachable operator: Exists @@ -180,6 +187,7 @@ spec: control-plane: cert-manager controller-tools.k8s.io: "1.0" spec: + serviceAccountName: sa restartPolicy: Always securityContext: runAsNonRoot: true diff --git a/config/default/rbac/rbac_role_binding.yaml b/config/default/rbac/rbac_role_binding.yaml index c1033e23f..99b8643dc 100644 --- a/config/default/rbac/rbac_role_binding.yaml +++ b/config/default/rbac/rbac_role_binding.yaml @@ -9,5 +9,5 @@ roleRef: name: manager-role subjects: - kind: ServiceAccount - name: default + name: sa namespace: system diff --git a/config/release/kubemacpool.yaml b/config/release/kubemacpool.yaml index f40c06d4d..3dbae30a0 100644 --- a/config/release/kubemacpool.yaml +++ b/config/release/kubemacpool.yaml @@ -5,6 +5,12 @@ metadata: pod-security.kubernetes.io/enforce: restricted name: kubemacpool-system --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubemacpool-sa + namespace: kubemacpool-system +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -95,7 +101,7 @@ roleRef: name: kubemacpool-manager-role subjects: - kind: ServiceAccount - name: default + name: kubemacpool-sa namespace: kubemacpool-system --- apiVersion: v1 @@ -205,6 +211,7 @@ spec: runAsUser: 107 seccompProfile: type: RuntimeDefault + serviceAccountName: kubemacpool-sa terminationGracePeriodSeconds: 5 --- apiVersion: apps/v1 @@ -329,6 +336,7 @@ spec: runAsUser: 107 seccompProfile: type: RuntimeDefault + serviceAccountName: kubemacpool-sa terminationGracePeriodSeconds: 5 tolerations: - effect: NoExecute diff --git a/config/test/kubemacpool.yaml b/config/test/kubemacpool.yaml index 28f561396..83ff11489 100644 --- a/config/test/kubemacpool.yaml +++ b/config/test/kubemacpool.yaml @@ -6,6 +6,12 @@ metadata: pod-security.kubernetes.io/enforce: restricted name: kubemacpool-system --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kubemacpool-sa + namespace: kubemacpool-system +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -96,7 +102,7 @@ roleRef: name: kubemacpool-manager-role subjects: - kind: ServiceAccount - name: default + name: kubemacpool-sa namespace: kubemacpool-system --- apiVersion: v1 @@ -206,6 +212,7 @@ spec: runAsUser: 107 seccompProfile: type: RuntimeDefault + serviceAccountName: kubemacpool-sa terminationGracePeriodSeconds: 5 --- apiVersion: apps/v1 @@ -330,6 +337,7 @@ spec: runAsUser: 107 seccompProfile: type: RuntimeDefault + serviceAccountName: kubemacpool-sa terminationGracePeriodSeconds: 5 tolerations: - effect: NoExecute