Merge pull request #4245 from MarcelMue/individual-service-accounts

⚠️ Use individual service accounts

Author: k8s-ci-robot

bootstrap/kubeadm/config/manager/manager.yaml

@@ -25,6 +25,7 @@ spec:
         image: controller:latest
         name: manager
       terminationGracePeriodSeconds: 10
+      serviceAccountName: manager
       tolerations:
         - effect: NoSchedule
           key: node-role.kubernetes.io/master

bootstrap/kubeadm/config/rbac/auth_proxy_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

bootstrap/kubeadm/config/rbac/kustomization.yaml

@@ -1,6 +1,7 @@
 resources:
 - role.yaml
 - role_binding.yaml
+- service_account.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 - auth_proxy_service.yaml

bootstrap/kubeadm/config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

bootstrap/kubeadm/config/rbac/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

bootstrap/kubeadm/config/rbac/service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manager
+  namespace: system

config/manager/manager.yaml

@@ -38,6 +38,7 @@ spec:
             path: /healthz
             port: healthz
       terminationGracePeriodSeconds: 10
+      serviceAccountName: manager
       tolerations:
         - effect: NoSchedule
           key: node-role.kubernetes.io/master

config/rbac/auth_proxy_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

config/rbac/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
 - role_binding.yaml
 - role.yaml
+- service_account.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 - aggregated_role.yaml

config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

config/rbac/role_binding.yaml

@@ -9,5 +9,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

config/rbac/service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manager
+  namespace: system

controlplane/kubeadm/config/manager/manager.yaml

@@ -24,6 +24,7 @@ spec:
         image: controller:latest
         name: manager
       terminationGracePeriodSeconds: 10
+      serviceAccountName: manager
       tolerations:
         - effect: NoSchedule
           key: node-role.kubernetes.io/master

controlplane/kubeadm/config/rbac/auth_proxy_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

controlplane/kubeadm/config/rbac/kustomization.yaml

@@ -1,6 +1,7 @@
 resources:
 - role.yaml
 - role_binding.yaml
+- service_account.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 3 lines if you want to disable

controlplane/kubeadm/config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

controlplane/kubeadm/config/rbac/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

controlplane/kubeadm/config/rbac/service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manager
+  namespace: system

docs/book/src/developer/providers/v1alpha3-to-v1alpha4.md

@@ -211,3 +211,25 @@ with `cert-manager.io/v1`
 		return errors.Wrap(err, "failed setting up with a controller manager")
 	}
   ```
+
+## Required changes to have individual service accounts for controllers.
+
+1. Create a new service account such as:
+  ```yaml
+  apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: manager
+  namespace: system
+  ```
+2. Change the `subject` of the managers `ClusterRoleBinding` to match:
+  ```yaml
+  subjects:
+  - kind: ServiceAccount
+    name: manager
+    namespace: system
+  ```
+3. Add the correct `serviceAccountName` to the manager deployment:
+  ```yaml
+  serviceAccountName: manager
+  ```

test/infrastructure/docker/config/manager/manager.yaml

@@ -40,6 +40,7 @@ spec:
         securityContext:
           privileged: true
       terminationGracePeriodSeconds: 10
+      serviceAccountName: manager
       tolerations:
       - effect: NoSchedule
         key: node-role.kubernetes.io/master

test/infrastructure/docker/config/rbac/auth_proxy_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

test/infrastructure/docker/config/rbac/kustomization.yaml

@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
 - role.yaml
 - role_binding.yaml
+- service_account.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
 # Comment the following 3 lines if you want to disable

test/infrastructure/docker/config/rbac/leader_election_role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

test/infrastructure/docker/config/rbac/role_binding.yaml

@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: manager
   namespace: system

test/infrastructure/docker/config/rbac/service_account.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: manager
+  namespace: system