Merge pull request #244 from yevgeny-shnaidman/yevgeny/manager-servic…

…e-account

Using dedicated ServiceAccount for manager pod

config/manager/manager.yaml

@@ -22,6 +22,7 @@ spec:
       labels:
         control-plane: nfd-controller-manager
     spec:
+      serviceAccountName: nfd-manager
       containers:
         - name: manager
           securityContext:

config/rbac/auth_proxy/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: nfd-proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: nfd-manager
   namespace: node-feature-discovery-operator

config/rbac/core/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: nfd-leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: nfd-manager
   namespace: node-feature-discovery-operator

config/rbac/core/manager_role.yaml

@@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   creationTimestamp: null
-  name: nfd-manager-role
+  name: nfd-manager
 rules:
 - apiGroups:
   - ""

config/rbac/core/manager_role_binding.yaml

@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: nfd-manager-rolebinding
+  name: nfd-manager
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: nfd-manager-role
+  name: nfd-manager
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: nfd-manager
   namespace: node-feature-discovery-operator

config/rbac/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
 - prune/
 - topologyupdater/
 - worker/
+- manager/
 # Comment the following line if you want to disable
 # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
 # which protects your /metrics endpoint.

config/rbac/manager/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- sa.yaml

config/rbac/manager/sa.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nfd-manager
+  namespace: node-feature-discovery-operator