Skip to content

Commit f09b44a

Browse files
easyCZroboquat
authored andcommitted
[public-api] Add role binding for kube-rbac-proxy to auth metric scrapes
1 parent 00c3c60 commit f09b44a

File tree

1 file changed

+36
-15
lines changed

1 file changed

+36
-15
lines changed

install/installer/pkg/components/public-api-server/rolebinding.go

Lines changed: 36 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -15,21 +15,42 @@ import (
1515
)
1616

1717
func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) {
18-
return []runtime.Object{&rbacv1.RoleBinding{
19-
TypeMeta: common.TypeMetaRoleBinding,
20-
ObjectMeta: metav1.ObjectMeta{
21-
Name: Component,
22-
Namespace: ctx.Namespace,
23-
Labels: common.DefaultLabels(Component),
18+
labels := common.DefaultLabels(Component)
19+
20+
return []runtime.Object{
21+
&rbacv1.ClusterRoleBinding{
22+
TypeMeta: common.TypeMetaClusterRoleBinding,
23+
ObjectMeta: metav1.ObjectMeta{
24+
Name: fmt.Sprintf("%s-%s-rb-kube-rbac-proxy", ctx.Namespace, Component),
25+
Labels: labels,
26+
},
27+
RoleRef: rbacv1.RoleRef{
28+
Kind: "ClusterRole",
29+
Name: fmt.Sprintf("%s-kube-rbac-proxy", ctx.Namespace),
30+
APIGroup: "rbac.authorization.k8s.io",
31+
},
32+
Subjects: []rbacv1.Subject{{
33+
Kind: "ServiceAccount",
34+
Name: Component,
35+
Namespace: ctx.Namespace,
36+
}},
2437
},
25-
RoleRef: rbacv1.RoleRef{
26-
Kind: "ClusterRole",
27-
Name: fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
28-
APIGroup: "rbac.authorization.k8s.io",
38+
&rbacv1.RoleBinding{
39+
TypeMeta: common.TypeMetaRoleBinding,
40+
ObjectMeta: metav1.ObjectMeta{
41+
Name: Component,
42+
Namespace: ctx.Namespace,
43+
Labels: common.DefaultLabels(Component),
44+
},
45+
RoleRef: rbacv1.RoleRef{
46+
Kind: "ClusterRole",
47+
Name: fmt.Sprintf("%s-ns-psp:restricted-root-user", ctx.Namespace),
48+
APIGroup: "rbac.authorization.k8s.io",
49+
},
50+
Subjects: []rbacv1.Subject{{
51+
Kind: "ServiceAccount",
52+
Name: Component,
53+
}},
2954
},
30-
Subjects: []rbacv1.Subject{{
31-
Kind: "ServiceAccount",
32-
Name: Component,
33-
}},
34-
}}, nil
55+
}, nil
3556
}

0 commit comments

Comments
 (0)