Update deployments to use their own NS, add rbac

microcumulus · Oct 5, 2021 · b82adb6 · b82adb6
1 parent 1099d1e
commit b82adb6
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 18 deletions.
diff --git a/k8s.yaml b/k8s.yaml
@@ -1,25 +1,32 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: admission
+  name: ca-injector
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: injector
+  namespace: ca-injector
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: cert-injector
-  namespace: admission
+  name: ca-injector
+  namespace: ca-injector
 spec:
   replicas: 1
   selector:
     matchLabels:
-      app: cert-injector
+      app: ca-injector
   template:
     metadata:
       labels:
-        app: cert-injector
+        app: ca-injector
     spec:
+      serviceAccount: injector
       containers:
-      - name: cert-injector
+      - name: ca-injector
         image: andrewstuart/cert-injector
         imagePullPolicy: Always
         resources:
@@ -37,30 +44,56 @@ spec:
       volumes: 
       - name: cert
         secret:
-          secretName: injector.admission.svc.cluster.local.tls
+          secretName: injector.ca-injector.svc.cluster.local.tls
 ---
 apiVersion: v1
 kind: Service
 metadata:
-  name: cert-injector
-  namespace: admission
+  name: ca-injector
+  namespace: ca-injector
 spec:
   ports:
   - port: 443
     targetPort: 8443
   selector:
-    app: cert-injector
+    app: ca-injector
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: injector-mwh-cert
-  namespace: admission
+  namespace: ca-injector
 spec:
-  secretName: injector.admission.svc.cluster.local.tls
+  secretName: injector.ca-injector.svc.cluster.local.tls
   dnsNames:
-  - cert-injector.admission.svc.cluster.local
-  - cert-injector.admission.svc
+  - ca-injector.ca-injector.svc.cluster.local
+  - ca-injector.ca-injector.svc
   issuerRef:
     name: vault # Replace this issuer with your own issuer
     kind: ClusterIssuer
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ca-injector
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - list
+  - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ca-injector-list-delete-pods
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ca-injector
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:serviceaccount:ca-injector:injector
diff --git a/mwh.yml b/mwh.yml
@@ -1,9 +1,9 @@
 apiVersion: admissionregistration.k8s.io/v1
 kind: MutatingWebhookConfiguration
 metadata:
-  name: cert-injector.microcumul.us
+  name: ca-injector.microcumul.us
 webhooks:
-- name: cert-injector.microcumul.us
+- name: ca-injector.microcumul.us
   admissionReviewVersions:
     - v1
   sideEffects: NoneOnDryRun
@@ -20,7 +20,7 @@ webhooks:
   clientConfig:
     caBundle: ""
     service:
-      namespace: admission
-      name: cert-injector
+      namespace: ca-injector
+      name: ca-injector
       path: /pods
 ---