From 00f7a8b2aaca418f4260cc56098b376d0c08dae9 Mon Sep 17 00:00:00 2001
From: Yang Yang <yyang@streamnative.io>
Date: Fri, 20 Aug 2021 17:55:08 +0800
Subject: [PATCH] Use the project-specific service account for the operator

Previously the project is using the `default` service account to deploy and run the operator, which is not safe. This PR follows the [introduction](https://github.com/operator-framework/operator-sdk/issues/4468) to run the operator with a project-specific service account (xxx-operator-controller-manager) to fix this issue.
---
 config/manager/manager.yaml                   | 3 ++-
 config/rbac/auth_proxy_role_binding.yaml      | 2 +-
 config/rbac/kustomization.yaml                | 1 +
 config/rbac/leader_election_role_binding.yaml | 2 +-
 config/rbac/role_binding.yaml                 | 2 +-
 config/rbac/service_account.yaml              | 5 +++++
 6 files changed, 11 insertions(+), 4 deletions(-)
 create mode 100644 config/rbac/service_account.yaml

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
index 571b18fc..2759e1a9 100644
--- a/config/manager/manager.yaml
+++ b/config/manager/manager.yaml
@@ -42,7 +42,7 @@ spec:
       containers:
       - name: flink-operator
         image: flink-operator:latest
-        command:      
+        command:
         - /flink-operator
         args:
         - --enable-leader-election
@@ -53,4 +53,5 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
index 5f29ab7a..ac28b5f8 100644
--- a/config/rbac/auth_proxy_role_binding.yaml
+++ b/config/rbac/auth_proxy_role_binding.yaml
@@ -22,5 +22,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
index 86d3f911..3c2900ae 100644
--- a/config/rbac/kustomization.yaml
+++ b/config/rbac/kustomization.yaml
@@ -23,3 +23,4 @@ resources:
 - auth_proxy_service.yaml
 - auth_proxy_role.yaml
 - auth_proxy_role_binding.yaml
+- service_account.yaml
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
index 1870bb93..863f9fb8 100644
--- a/config/rbac/leader_election_role_binding.yaml
+++ b/config/rbac/leader_election_role_binding.yaml
@@ -22,5 +22,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
index 2f57ce1b..ec9790ae 100644
--- a/config/rbac/role_binding.yaml
+++ b/config/rbac/role_binding.yaml
@@ -22,5 +22,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
new file mode 100644
index 00000000..7cd6025b
--- /dev/null
+++ b/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system