@@ -15,21 +15,42 @@ import (
15
15
)
16
16
17
17
func rolebinding (ctx * common.RenderContext ) ([]runtime.Object , error ) {
18
- return []runtime.Object {& rbacv1.RoleBinding {
19
- TypeMeta : common .TypeMetaRoleBinding ,
20
- ObjectMeta : metav1.ObjectMeta {
21
- Name : Component ,
22
- Namespace : ctx .Namespace ,
23
- Labels : common .DefaultLabels (Component ),
18
+ labels := common .DefaultLabels (Component )
19
+
20
+ return []runtime.Object {
21
+ & rbacv1.ClusterRoleBinding {
22
+ TypeMeta : common .TypeMetaClusterRoleBinding ,
23
+ ObjectMeta : metav1.ObjectMeta {
24
+ Name : fmt .Sprintf ("%s-%s-rb-kube-rbac-proxy" , ctx .Namespace , Component ),
25
+ Labels : labels ,
26
+ },
27
+ RoleRef : rbacv1.RoleRef {
28
+ Kind : "ClusterRole" ,
29
+ Name : fmt .Sprintf ("%s-kube-rbac-proxy" , ctx .Namespace ),
30
+ APIGroup : "rbac.authorization.k8s.io" ,
31
+ },
32
+ Subjects : []rbacv1.Subject {{
33
+ Kind : "ServiceAccount" ,
34
+ Name : Component ,
35
+ Namespace : ctx .Namespace ,
36
+ }},
24
37
},
25
- RoleRef : rbacv1.RoleRef {
26
- Kind : "ClusterRole" ,
27
- Name : fmt .Sprintf ("%s-ns-psp:restricted-root-user" , ctx .Namespace ),
28
- APIGroup : "rbac.authorization.k8s.io" ,
38
+ & rbacv1.RoleBinding {
39
+ TypeMeta : common .TypeMetaRoleBinding ,
40
+ ObjectMeta : metav1.ObjectMeta {
41
+ Name : Component ,
42
+ Namespace : ctx .Namespace ,
43
+ Labels : common .DefaultLabels (Component ),
44
+ },
45
+ RoleRef : rbacv1.RoleRef {
46
+ Kind : "ClusterRole" ,
47
+ Name : fmt .Sprintf ("%s-ns-psp:restricted-root-user" , ctx .Namespace ),
48
+ APIGroup : "rbac.authorization.k8s.io" ,
49
+ },
50
+ Subjects : []rbacv1.Subject {{
51
+ Kind : "ServiceAccount" ,
52
+ Name : Component ,
53
+ }},
29
54
},
30
- Subjects : []rbacv1.Subject {{
31
- Kind : "ServiceAccount" ,
32
- Name : Component ,
33
- }},
34
- }}, nil
55
+ }, nil
35
56
}
0 commit comments