Merge pull request #519 from cwrau/feat/use-real-serviceaccount

k8s-ci-robot · web-flow · commit 628476cec064 · 2024-06-24T02:12:56.000-07:00
⚠️ feat(rbac): use real ServiceAccount instead of default
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -15,6 +15,8 @@ spec:
       labels:
         control-plane: controller-manager
     spec:
+      serviceAccountName: manager
+      automountServiceAccountToken: true
       containers:
       - command:
         - /manager
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -3,3 +3,4 @@ resources:
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
+- service_account.yaml
diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system
diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manager
+  namespace: system
diff --git a/hack/charts/cluster-api-operator/templates/deployment.yaml b/hack/charts/cluster-api-operator/templates/deployment.yaml
@@ -47,6 +47,8 @@ spec:
       {{- toYaml . | nindent 8 }}
       {{- end }}
     spec:
+      serviceAccountName: capi-operator-manager
+      automountServiceAccountToken: true
       {{- with .Values.securityContext }}
       securityContext:
       {{- toYaml . | nindent 8 }}
diff --git a/test/e2e/resources/full-chart-install.yaml b/test/e2e/resources/full-chart-install.yaml
@@ -1,5 +1,14 @@
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    clusterctl.cluster.x-k8s.io/core: capi-operator
+  name: capi-operator-manager
+  namespace: 'default'
+---
+# Source: cluster-api-operator/templates/operator-components.yaml
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
@@ -17702,7 +17711,7 @@ roleRef:
   name: capi-operator-manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: capi-operator-manager
   namespace: 'default'
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
@@ -17767,7 +17776,7 @@ roleRef:
   name: capi-operator-leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: capi-operator-manager
   namespace: 'default'
 ---
 # Source: cluster-api-operator/templates/operator-components.yaml
@@ -17818,6 +17827,8 @@ spec:
         control-plane: controller-manager
         clusterctl.cluster.x-k8s.io/core: capi-operator
     spec:
+      serviceAccountName: capi-operator-manager
+      automountServiceAccountToken: true
       containers:
       - args:
         - --v=2
