From 5a8d6366d4d2b1190fea0ac4a36d1258df271299 Mon Sep 17 00:00:00 2001 From: ArthurSens Date: Wed, 10 Aug 2022 12:21:23 +0000 Subject: [PATCH 1/2] component/content-service: Add rolebinding for kube-rbac-proxy token verification Signed-off-by: ArthurSens --- .../components/content-service/rolebinding.go | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/install/installer/pkg/components/content-service/rolebinding.go b/install/installer/pkg/components/content-service/rolebinding.go index ffa639a3b6dfa9..4540b97ba7b3df 100644 --- a/install/installer/pkg/components/content-service/rolebinding.go +++ b/install/installer/pkg/components/content-service/rolebinding.go @@ -31,5 +31,24 @@ func rolebinding(ctx *common.RenderContext) ([]runtime.Object, error) { Kind: "ServiceAccount", Name: Component, }}, - }}, nil + }, &rbacv1.ClusterRoleBinding{ + TypeMeta: common.TypeMetaClusterRoleBinding, + ObjectMeta: metav1.ObjectMeta{ + Name: fmt.Sprintf("%s-%s-rb-kube-rbac-proxy", ctx.Namespace, Component), + Labels: common.DefaultLabels(Component), + }, + RoleRef: rbacv1.RoleRef{ + Kind: "ClusterRole", + Name: fmt.Sprintf("%s-kube-rbac-proxy", ctx.Namespace), + APIGroup: "rbac.authorization.k8s.io", + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Name: Component, + Namespace: ctx.Namespace, + }, + }, + }, + }, nil } From 6f44d814c1577219c99a816c15e2d83e015e8b5a Mon Sep 17 00:00:00 2001 From: ArthurSens Date: Wed, 10 Aug 2022 12:57:08 +0000 Subject: [PATCH 2/2] Add golden files Signed-off-by: ArthurSens --- .../render/customization/output.golden | 27 +++++++++++++++++++ .../render/external-registry/output.golden | 27 +++++++++++++++++++ .../cmd/testdata/render/minimal/output.golden | 27 +++++++++++++++++++ .../statefulset-customization/output.golden | 27 +++++++++++++++++++ 4 files changed, 108 insertions(+) diff --git a/install/installer/cmd/testdata/render/customization/output.golden b/install/installer/cmd/testdata/render/customization/output.golden index 9e4c1858bdd384..91e37d1879c9ee 100644 --- a/install/installer/cmd/testdata/render/customization/output.golden +++ b/install/installer/cmd/testdata/render/customization/output.golden @@ -2215,6 +2215,15 @@ data: name: content-service namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy + --- apiVersion: v1 kind: Service metadata: @@ -5172,6 +5181,24 @@ subjects: name: blobserve namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-content-service-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: content-service + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ide-metrics-kube-rbac-proxy apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/install/installer/cmd/testdata/render/external-registry/output.golden b/install/installer/cmd/testdata/render/external-registry/output.golden index 35f9fe685e7d8b..2120fe62583e77 100644 --- a/install/installer/cmd/testdata/render/external-registry/output.golden +++ b/install/installer/cmd/testdata/render/external-registry/output.golden @@ -1995,6 +1995,15 @@ data: name: content-service namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy + --- apiVersion: v1 kind: Service metadata: @@ -4612,6 +4621,24 @@ subjects: name: blobserve namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-content-service-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: content-service + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ide-metrics-kube-rbac-proxy apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/install/installer/cmd/testdata/render/minimal/output.golden b/install/installer/cmd/testdata/render/minimal/output.golden index 0e6ccffccda8d1..c9c97443152768 100644 --- a/install/installer/cmd/testdata/render/minimal/output.golden +++ b/install/installer/cmd/testdata/render/minimal/output.golden @@ -2101,6 +2101,15 @@ data: name: content-service namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy + --- apiVersion: v1 kind: Service metadata: @@ -4851,6 +4860,24 @@ subjects: name: blobserve namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-content-service-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: content-service + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ide-metrics-kube-rbac-proxy apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/install/installer/cmd/testdata/render/statefulset-customization/output.golden b/install/installer/cmd/testdata/render/statefulset-customization/output.golden index 750a008e96f96d..16fa312a03f20c 100644 --- a/install/installer/cmd/testdata/render/statefulset-customization/output.golden +++ b/install/installer/cmd/testdata/render/statefulset-customization/output.golden @@ -2113,6 +2113,15 @@ data: name: content-service namespace: default --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy + --- apiVersion: v1 kind: Service metadata: @@ -4863,6 +4872,24 @@ subjects: name: blobserve namespace: default --- +# rbac.authorization.k8s.io/v1/ClusterRoleBinding default-content-service-rb-kube-rbac-proxy +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + creationTimestamp: null + labels: + app: gitpod + component: content-service + name: default-content-service-rb-kube-rbac-proxy +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: default-kube-rbac-proxy +subjects: +- kind: ServiceAccount + name: content-service + namespace: default +--- # rbac.authorization.k8s.io/v1/ClusterRoleBinding default-ide-metrics-kube-rbac-proxy apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding