Using dedicated ServiceAccount for manager pod

yevgeny-shnaidman · yevgeny-shnaidman · commit e5ce843b65af · 2024-07-15T13:39:24.000+03:00
currently manager pod is using the default service account
in order to increase readability and to avoid confusion
we will use a dedicated ServiceAccount instead of default
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -22,6 +22,7 @@ spec:
       labels:
         control-plane: nfd-controller-manager
     spec:
+      serviceAccountName: nfd-manager
       containers:
         - name: manager
           securityContext:
diff --git a/config/rbac/auth_proxy/role_binding.yaml b/config/rbac/auth_proxy/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: nfd-proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: nfd-manager
   namespace: node-feature-discovery-operator
diff --git a/config/rbac/core/leader_election_role_binding.yaml b/config/rbac/core/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: nfd-leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: nfd-manager
   namespace: node-feature-discovery-operator
diff --git a/config/rbac/core/manager_role.yaml b/config/rbac/core/manager_role.yaml
@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
-  name: nfd-manager-role
+  name: nfd-manager
 rules:
 - apiGroups:
   - ""
diff --git a/config/rbac/core/manager_role.yaml.working b/config/rbac/core/manager_role.yaml.working
diff --git a/config/rbac/core/manager_role_binding.yaml b/config/rbac/core/manager_role_binding.yaml
@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: nfd-manager-rolebinding
+  name: nfd-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: nfd-manager-role
+  name: nfd-manager
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: nfd-manager
   namespace: node-feature-discovery-operator
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
 - prune/
 - topologyupdater/
 - worker/
+- manager/
 # Comment the following line if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.
diff --git a/config/rbac/manager/kustomization.yaml b/config/rbac/manager/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- sa.yaml
diff --git a/config/rbac/manager/sa.yaml b/config/rbac/manager/sa.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nfd-manager
+  namespace: node-feature-discovery-operator
