diff --git a/install/0000_00_cluster-version-operator_02_ZZ_roles.yaml b/install/0000_00_cluster-version-operator_02_ZZ_roles.yaml new file mode 100644 index 000000000..15a40cbdf --- /dev/null +++ b/install/0000_00_cluster-version-operator_02_ZZ_roles.yaml @@ -0,0 +1,44 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-version-operator + annotations: + include.release.openshift.io/self-managed-high-availability: "true" +subjects: +- kind: ServiceAccount + name: cluster-version-operator + namespace: openshift-cluster-version +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-version-operator-payload + annotations: + include.release.openshift.io/self-managed-high-availability: "true" +subjects: +- kind: ServiceAccount + name: update-payload-dedicated-sa + namespace: openshift-cluster-version +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cluster-version-operator + annotations: + kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core. + include.release.openshift.io/self-managed-high-availability: "true" +roleRef: + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + namespace: openshift-cluster-version + name: default diff --git a/install/0000_00_cluster-version-operator_02_roles.yaml b/install/0000_00_cluster-version-operator_02_roles.yaml deleted file mode 100644 index 9396aa614..000000000 --- a/install/0000_00_cluster-version-operator_02_roles.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cluster-version-operator - annotations: - kubernetes.io/description: Grant the cluster-version operator permission to perform cluster-admin actions while managing the OpenShift core. - include.release.openshift.io/self-managed-high-availability: "true" -roleRef: - kind: ClusterRole - name: cluster-admin -subjects: -- kind: ServiceAccount - namespace: openshift-cluster-version - name: default diff --git a/install/0000_00_cluster-version-operator_02_service_account.yaml b/install/0000_00_cluster-version-operator_02_service_account.yaml new file mode 100644 index 000000000..96b8eee99 --- /dev/null +++ b/install/0000_00_cluster-version-operator_02_service_account.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-version-operator + namespace: openshift-cluster-version + annotations: + kubernetes.io/description: Dedicated Service Account for the Cluster Version Operator. + include.release.openshift.io/self-managed-high-availability: "true" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: update-payload-dedicated-sa + namespace: openshift-cluster-version + annotations: + kubernetes.io/description: Dedicated Service Account for the Update Payload. + include.release.openshift.io/self-managed-high-availability: "true" diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml index ff85c55f9..8a373dcc9 100644 --- a/install/0000_00_cluster-version-operator_03_deployment.yaml +++ b/install/0000_00_cluster-version-operator_03_deployment.yaml @@ -23,6 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false + serviceAccountName: cluster-version-operator containers: - name: cluster-version-operator image: '{{.ReleaseImage}}' diff --git a/pkg/cvo/updatepayload.go b/pkg/cvo/updatepayload.go index ace63e725..d4439830d 100644 --- a/pkg/cvo/updatepayload.go +++ b/pkg/cvo/updatepayload.go @@ -232,6 +232,7 @@ func (r *payloadRetriever) fetchUpdatePayloadToDir(ctx context.Context, dir stri }, }, Spec: corev1.PodSpec{ + ServiceAccountName: "update-payload-dedicated-sa", ActiveDeadlineSeconds: deadline, InitContainers: []corev1.Container{ setContainerDefaults(corev1.Container{ diff --git a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml index b3f0c40d1..9c037bdd9 100644 --- a/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml +++ b/pkg/payload/testdata/TestRenderManifest_expected_cvo_deployment.yaml @@ -23,6 +23,7 @@ spec: k8s-app: cluster-version-operator spec: automountServiceAccountToken: false + serviceAccountName: cluster-version-operator containers: - name: cluster-version-operator image: 'quay.io/cvo/release:latest'