Create a ServiceAccount for Broker Ingress

config/200-broker-clusterrole.yaml

@@ -26,3 +26,11 @@ rules:
       - "get"
       - "list"
       - "watch"
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: eventing-broker-ingress
+rules: []

config/500-controller.yaml

@@ -45,7 +45,7 @@ spec:
           - name: BROKER_INGRESS_IMAGE
             value: github.com/knative/eventing/cmd/broker/ingress
           - name: BROKER_INGRESS_SERVICE_ACCOUNT
-            value: default
+            value: eventing-broker-ingress
           - name: BROKER_FILTER_IMAGE
             value: github.com/knative/eventing/cmd/broker/filter
           - name: BROKER_FILTER_SERVICE_ACCOUNT

docs/broker/README.md

@@ -112,26 +112,30 @@ kubectl -n default get broker default
 #### Manual Setup
 
 In order to setup a `Broker` manually, we must first create the required
-`ServiceAccount` and give it the proper RBAC permissions. This setup is required
+`ServiceAccount`s and give them the proper RBAC permissions. This setup is required
 once per namespace. These instructions will use the `default` namespace, but you
 can replace it with any namespace you want to install a `Broker` into.
 
 Create the `ServiceAccount`.
 
 ```shell
+kubectl -n default create serviceaccount eventing-broker-ingress
 kubectl -n default create serviceaccount eventing-broker-filter
 ```
 
 Then give it the needed RBAC permissions:
 
 ```shell
+kubectl -n default create rolebinding eventing-broker-ingress \
+  --clusterrole=eventing-broker-ingress \
+  --user=eventing-broker-ingress
 kubectl -n default create rolebinding eventing-broker-filter \
   --clusterrole=eventing-broker-filter \
   --user=eventing-broker-filter
 ```
 
 Note that the previous commands uses three different objects, all named
-`eventing-broker-filter`. The `ClusterRole` is installed with Knative Eventing
+`eventing-broker-ingress` or `eventing-broker-filter`. The `ClusterRole` is installed with Knative Eventing
 [here](../../config/200-broker-clusterrole.yaml). The `ServiceAccount` was
 created two commands prior. The `RoleBinding` is created with this command.
 
@@ -271,9 +275,9 @@ spec:
 
 Broker and Trigger are intended to be black boxes. How they are implemented
 should not matter to the end user. This section describes the specific
-implementation that is currently in the repository. However, **the implmentation
+implementation that is currently in the repository. However, **the implementation
 may change at any time, absolutely no guarantees are made about the
-implmentation**.
+implementation**.
 
 ### Namespace
 
@@ -283,6 +287,10 @@ Namespaces are reconciled by the
 `knative-eventing-injection: enabled`. If that label is present, then the
 `Namespace Reconciler` reconciles:
 
+1. Creates the Broker Ingress' `ServiceAccount`, `eventing-ingress-filter`.
+1. Ensures that `ServiceAccount` has the requisite RBAC permissions by giving it
+   the [`eventing-broker-ingress`](../../config/200-broker-clusterrole.yaml)
+   `Role`.
 1. Creates the Broker Filter's `ServiceAccount`, `eventing-broker-filter`.
 1. Ensures that `ServiceAccount` has the requisite RBAC permissions by giving it
    the [`eventing-broker-filter`](../../config/200-broker-clusterrole.yaml)

pkg/reconciler/namespace/namespace.go

@@ -56,8 +56,8 @@ const (
 
 	// Name of the corev1.Events emitted from the reconciliation process.
 	brokerCreated             = "BrokerCreated"
-	serviceAccountCreated     = "BrokerFilterServiceAccountCreated"
-	serviceAccountRBACCreated = "BrokerFilterServiceAccountRBACCreated"
+	serviceAccountCreated     = "BrokerServiceAccountCreated"
+	serviceAccountRBACCreated = "BrokerServiceAccountRBACCreated"
 )
 
 var (
@@ -162,59 +162,64 @@ func (r *Reconciler) reconcile(ctx context.Context, ns *corev1.Namespace) error
 	if ns.DeletionTimestamp != nil {
 		return nil
 	}
+	if err := r.reconcileServiceAccountAndRoleBinding(ctx, ns, resources.IngressServiceAccountName, resources.IngressRoleBindingName, resources.IngressClusterRoleName); err != nil {
+		return fmt.Errorf("broker ingress: %v", err)
+	}
+	if err := r.reconcileServiceAccountAndRoleBinding(ctx, ns, resources.FilterServiceAccountName, resources.FilterRoleBindingName, resources.FilterClusterRoleName); err != nil {
+		return fmt.Errorf("broker filter: %v", err)
+	}
 
-	sa, err := r.reconcileBrokerFilterServiceAccount(ctx, ns)
+	b, err := r.reconcileBroker(ctx, ns)
 	if err != nil {
-		logging.FromContext(ctx).Error("Unable to reconcile the Broker Filter Service Account for the namespace", zap.Error(err))
-		return err
+		return fmt.Errorf("broker: %v", err)
 	}
 
-	// Tell tracker to reconcile this namespace whenever the Service Account changes.
-	if err = r.tracker.Track(utils.ObjectRef(sa, serviceAccountGVK), ns); err != nil {
-		logging.FromContext(ctx).Error("Unable to track changes to ServiceAccount", zap.Error(err))
-		return err
+	// Tell tracker to reconcile this namespace whenever the Broker changes.
+	if err = r.tracker.Track(utils.ObjectRef(b, brokerGVK), ns); err != nil {
+		return fmt.Errorf("track broker: %v", err)
 	}
 
-	rb, err := r.reconcileBrokerFilterRBAC(ctx, ns, sa)
+	return nil
+}
+
+// reconcileServiceAccountAndRoleBinding reconciles the service account and role binding for
+// Namespace 'ns'.
+func (r *Reconciler) reconcileServiceAccountAndRoleBinding(ctx context.Context, ns *corev1.Namespace, saName, rbName, clusterRoleName string) error {
+	sa, err := r.reconcileBrokerServiceAccount(ctx, ns, resources.MakeServiceAccount(ns.Name, saName))
 	if err != nil {
-		logging.FromContext(ctx).Error("Unable to reconcile the Broker Filter Service Account RBAC for the namespace", zap.Error(err))
-		return err
+		return fmt.Errorf("service account '%s': %v", saName, err)
 	}
 
-	// Tell tracker to reconcile this namespace whenever the RoleBinding changes.
-	if err = r.tracker.Track(utils.ObjectRef(rb, roleBindingGVK), ns); err != nil {
-		logging.FromContext(ctx).Error("Unable to track changes to RoleBinding", zap.Error(err))
-		return err
+	// Tell tracker to reconcile this namespace whenever the Service Account changes.
+	if err = r.tracker.Track(utils.ObjectRef(sa, serviceAccountGVK), ns); err != nil {
+		return fmt.Errorf("track service account '%s': %v", sa.Name, err)
 	}
 
-	b, err := r.reconcileBroker(ctx, ns)
+	rb, err := r.reconcileBrokerRBAC(ctx, ns, sa, resources.MakeRoleBinding(rbName, sa, clusterRoleName))
 	if err != nil {
-		logging.FromContext(ctx).Error("Unable to reconcile Broker for the namespace", zap.Error(err))
-		return err
+		return fmt.Errorf("role binding '%s': %v", rbName, err)
 	}
 
-	// Tell tracker to reconcile this namespace whenever the Broker changes.
-	if err = r.tracker.Track(utils.ObjectRef(b, brokerGVK), ns); err != nil {
-		logging.FromContext(ctx).Error("Unable to track changes to Broker", zap.Error(err))
-		return err
+	// Tell tracker to reconcile this namespace whenever the RoleBinding changes.
+	if err = r.tracker.Track(utils.ObjectRef(rb, roleBindingGVK), ns); err != nil {
+		return fmt.Errorf("track role binding '%s': %v", rb.Name, err)
 	}
 
 	return nil
 }
 
-// reconcileBrokerFilterServiceAccount reconciles the Broker's filter service account for Namespace 'ns'.
-func (r *Reconciler) reconcileBrokerFilterServiceAccount(ctx context.Context, ns *corev1.Namespace) (*corev1.ServiceAccount, error) {
-	current, err := r.KubeClientSet.CoreV1().ServiceAccounts(ns.Name).Get(resources.ServiceAccountName, metav1.GetOptions{})
+// reconcileBrokerServiceAccount reconciles the Broker's service account for Namespace 'ns'.
+func (r *Reconciler) reconcileBrokerServiceAccount(ctx context.Context, ns *corev1.Namespace, sa *corev1.ServiceAccount) (*corev1.ServiceAccount, error) {
+	current, err := r.KubeClientSet.CoreV1().ServiceAccounts(ns.Name).Get(sa.Name, metav1.GetOptions{})
 
 	// If the resource doesn't exist, we'll create it.
 	if k8serrors.IsNotFound(err) {
-		sa := resources.MakeServiceAccount(ns.Name)
-		sa, err := r.KubeClientSet.CoreV1().ServiceAccounts(ns.Name).Create(sa)
+		sa, err = r.KubeClientSet.CoreV1().ServiceAccounts(ns.Name).Create(sa)
 		if err != nil {
 			return nil, err
 		}
 		r.Recorder.Event(ns, corev1.EventTypeNormal, serviceAccountCreated,
-			fmt.Sprintf("Service account created for the Broker '%s'", sa.Name))
+			fmt.Sprintf("Service account '%s' created for the Broker", sa.Name))
 		return sa, nil
 	} else if err != nil {
 		return nil, err
@@ -223,19 +228,18 @@ func (r *Reconciler) reconcileBrokerFilterServiceAccount(ctx context.Context, ns
 	return current, nil
 }
 
-// reconcileBrokerFilterRBAC reconciles the Broker's filter service account RBAC for the Namespace 'ns'.
-func (r *Reconciler) reconcileBrokerFilterRBAC(ctx context.Context, ns *corev1.Namespace, sa *corev1.ServiceAccount) (*rbacv1.RoleBinding, error) {
-	current, err := r.KubeClientSet.RbacV1().RoleBindings(ns.Name).Get(resources.RoleBindingName, metav1.GetOptions{})
+// reconcileBrokerRBAC reconciles the Broker's service account RBAC for the Namespace 'ns'.
+func (r *Reconciler) reconcileBrokerRBAC(ctx context.Context, ns *corev1.Namespace, sa *corev1.ServiceAccount, rb *rbacv1.RoleBinding) (*rbacv1.RoleBinding, error) {
+	current, err := r.KubeClientSet.RbacV1().RoleBindings(ns.Name).Get(rb.Name, metav1.GetOptions{})
 
 	// If the resource doesn't exist, we'll create it.
 	if k8serrors.IsNotFound(err) {
-		rb := resources.MakeRoleBinding(sa)
-		rb, err := r.KubeClientSet.RbacV1().RoleBindings(ns.Name).Create(rb)
+		rb, err = r.KubeClientSet.RbacV1().RoleBindings(ns.Name).Create(rb)
 		if err != nil {
 			return nil, err
 		}
 		r.Recorder.Event(ns, corev1.EventTypeNormal, serviceAccountRBACCreated,
-			fmt.Sprintf("Service account RBAC created for the Broker Filter '%s'", rb.Name))
+			fmt.Sprintf("Service account RBAC '%s' created for the Broker", rb.Name))
 		return rb, nil
 	} else if err != nil {
 		return nil, err