From 51c5bdbff4e1c7f5962688182aaba1c95e45b613 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Tue, 11 May 2021 14:53:52 +0200 Subject: [PATCH] Moves RBAC resources to a dedicated base, so specs that don't need rbac can be created and deleted faster. Specs might not use the kubernetes client, or mighte have sufficient access with the default service account such as in ephemeral test clusters. --- runtime-nodejs/kustomize-with-rbac/kustomization.yaml | 7 +++++++ .../kustomize-with-rbac/specs-serviceaccount.yaml | 8 ++++++++ runtime-nodejs/kustomize/kustomization.yaml | 2 -- runtime-nodejs/kustomize/scrapeable-deployment.yaml | 1 - 4 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 runtime-nodejs/kustomize-with-rbac/kustomization.yaml create mode 100644 runtime-nodejs/kustomize-with-rbac/specs-serviceaccount.yaml diff --git a/runtime-nodejs/kustomize-with-rbac/kustomization.yaml b/runtime-nodejs/kustomize-with-rbac/kustomization.yaml new file mode 100644 index 0000000..bc6a33e --- /dev/null +++ b/runtime-nodejs/kustomize-with-rbac/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +bases: +- ../rbac-readonly +- ../kustomize +patchesStrategicMerge: +- specs-serviceaccount.yaml diff --git a/runtime-nodejs/kustomize-with-rbac/specs-serviceaccount.yaml b/runtime-nodejs/kustomize-with-rbac/specs-serviceaccount.yaml new file mode 100644 index 0000000..55952d1 --- /dev/null +++ b/runtime-nodejs/kustomize-with-rbac/specs-serviceaccount.yaml @@ -0,0 +1,8 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: specs +spec: + template: + spec: + serviceAccountName: assert diff --git a/runtime-nodejs/kustomize/kustomization.yaml b/runtime-nodejs/kustomize/kustomization.yaml index a6162d1..d3e8f9f 100644 --- a/runtime-nodejs/kustomize/kustomization.yaml +++ b/runtime-nodejs/kustomize/kustomization.yaml @@ -1,7 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -bases: -- ../rbac-readonly resources: - scrapeable-deployment.yaml # TODO if many tests reuse this base, how do we manage podmonitor? diff --git a/runtime-nodejs/kustomize/scrapeable-deployment.yaml b/runtime-nodejs/kustomize/scrapeable-deployment.yaml index f01139e..6878aba 100644 --- a/runtime-nodejs/kustomize/scrapeable-deployment.yaml +++ b/runtime-nodejs/kustomize/scrapeable-deployment.yaml @@ -12,7 +12,6 @@ spec: labels: kubernetes-assert: metrics spec: - serviceAccountName: assert containers: - name: specs # We can't have a tag here because https://kubectl.docs.kubernetes.io/pages/reference/kustomize.html#images won't unset it, and Skaffold required no-tag URLs for build