Clean namespaces, roles and manager

memgraph · Jul 11, 2024 · 633c1df · 633c1df
1 parent 5818091
commit 633c1df
Show file tree

Hide file tree

Showing 14 changed files with 30 additions and 204 deletions.
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
@@ -1,7 +1,4 @@
-# Adds namespace to all resources.
-namespace: memgraph-operator-system
-
-namePrefix: memgraph-k8-
+namePrefix: ""
 
 resources:
 - ../crd

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -1,82 +1,46 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: controller-manager
-  namespace: system
+  name: memgraph-kubernetes-operator
   annotations:
     email: [email protected]
   labels:
-    control-plane: controller-manager
-    app.kubernetes.io/name: deployment
-    app.kubernetes.io/instance: controller-manager
-    app.kubernetes.io/component: manager
-    app.kubernetes.io/created-by: kubernetes-operator
-    app.kubernetes.io/part-of: kubernetes-operator
-    app.kubernetes.io/managed-by: kustomize
     owner: Memgraph
 spec:
   selector:
     matchLabels:
-      control-plane: controller-manager
+      name: memgraph-kubernetes-operator
   replicas: 1
   strategy:
     rollingUpdate:
       maxUnavailable: 1
     type: RollingUpdate
   template:
     metadata:
-      annotations:
-        kubectl.kubernetes.io/default-container: manager
       labels:
-        control-plane: controller-manager
+        name: memgraph-kubernetes-operator
     spec:
-      # TODO(user): Uncomment the following code to configure the nodeAffinity expression
-      # according to the platforms which are supported by your solution.
-      # It is considered best practice to support multiple architectures. You can
-      # build your manager image using the makefile target docker-buildx.
-      # affinity:
-      #   nodeAffinity:
-      #     requiredDuringSchedulingIgnoredDuringExecution:
-      #       nodeSelectorTerms:
-      #         - matchExpressions:
-      #           - key: kubernetes.io/arch
-      #             operator: In
-      #             values:
-      #               - amd64
-      #               - arm64
-      #               - ppc64le
-      #               - s390x
-      #           - key: kubernetes.io/os
-      #             operator: In
-      #             values:
-      #               - linux
-      securityContext:
-        runAsNonRoot: true
-        # TODO(user): For common cases that do not require escalating privileges
-        # it is recommended to ensure that all your Pods/Containers are restrictive.
-        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
-        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
-        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
-        # seccompProfile:
-        #   type: RuntimeDefault
       containers:
+        # TODO(andi) figure these args out
       - args:
         - --leader-elect
         - --leader-election-id=kubernetes-operator
         image: memgraph/kubernetes-operator:0.0.2
-        name: manager
-        securityContext:
-          readOnlyRootFilesystem: true
-          allowPrivilegeEscalation: false
-          capabilities:
-            drop:
-            - "ALL"
+        imagePullPolicy: Always
+        name: memgraph-kubernetes-operator
         resources:
           limits:
             cpu: 500m
             memory: 128Mi
           requests:
             cpu: 10m
             memory: 64Mi
-      serviceAccountName: controller-manager
-      terminationGracePeriodSeconds: 10
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - "ALL"
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: memgraph-kubernetes-operator
diff --git a/config/rbac/auth_proxy_client_clusterrole.yaml b/config/rbac/auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/auth_proxy_role.yaml b/config/rbac/auth_proxy_role.yaml
diff --git a/config/rbac/auth_proxy_role_binding.yaml b/config/rbac/auth_proxy_role_binding.yaml
diff --git a/config/rbac/auth_proxy_service.yaml b/config/rbac/auth_proxy_service.yaml
diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml
@@ -1,18 +1,6 @@
 resources:
-# All RBAC will be applied under this service account in
-# the deployment namespace. You may comment out this resource
-# if your manager will use a service account that exists at
-# runtime. Be sure to update RoleBinding and ClusterRoleBinding
-# subjects if changing service account names.
 - service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml
 - leader_election_role_binding.yaml
-# Comment the following 4 lines if you want to disable
-# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-# which protects your /metrics endpoint.
-- auth_proxy_service.yaml
-- auth_proxy_role.yaml
-- auth_proxy_role_binding.yaml
-- auth_proxy_client_clusterrole.yaml
diff --git a/config/rbac/leader_election_role.yaml b/config/rbac/leader_election_role.yaml
@@ -2,14 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  labels:
-    app.kubernetes.io/name: role
-    app.kubernetes.io/instance: leader-election-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: kubernetes-operator
-    app.kubernetes.io/part-of: kubernetes-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: leader-election-role
+  name: memgraph-leader-election-role
 rules:
 - apiGroups:
   - ""

diff --git a/config/rbac/leader_election_role_binding.yaml b/config/rbac/leader_election_role_binding.yaml
@@ -2,18 +2,11 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    app.kubernetes.io/name: rolebinding
-    app.kubernetes.io/instance: leader-election-rolebinding
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: kubernetes-operator
-    app.kubernetes.io/part-of: kubernetes-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: leader-election-rolebinding
+  name: memgraph-leader-election-rolebinding
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: leader-election-role
+  name: memgraph-leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
-  namespace: system
+  name: memgraph-kubernetes-operator
diff --git a/config/rbac/memgraphha_editor_role.yaml b/config/rbac/memgraphha_editor_role.yaml
@@ -2,13 +2,6 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: memgraphha-editor-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: kubernetes-operator
-    app.kubernetes.io/part-of: kubernetes-operator
-    app.kubernetes.io/managed-by: kustomize
   name: memgraphha-editor-role
 rules:
 - apiGroups:

diff --git a/config/rbac/memgraphha_viewer_role.yaml b/config/rbac/memgraphha_viewer_role.yaml
@@ -3,12 +3,6 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   labels:
-    app.kubernetes.io/name: clusterrole
-    app.kubernetes.io/instance: memgraphha-viewer-role
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: kubernetes-operator
-    app.kubernetes.io/part-of: kubernetes-operator
-    app.kubernetes.io/managed-by: kustomize
   name: memgraphha-viewer-role
 rules:
 - apiGroups:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
-  name: manager-role
+  name: memgraph-kubernetes-operator
 rules:
 ##
 ## Base operator rules

diff --git a/config/rbac/role_binding.yaml b/config/rbac/role_binding.yaml
@@ -1,19 +1,11 @@
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
 metadata:
-  labels:
-    app.kubernetes.io/name: clusterrolebinding
-    app.kubernetes.io/instance: manager-rolebinding
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: kubernetes-operator
-    app.kubernetes.io/part-of: kubernetes-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: manager-rolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: manager-role
+  name: memgraph-kubernetes-operator
 subjects:
 - kind: ServiceAccount
-  name: controller-manager
-  namespace: system
+  name: memgraph-kubernetes-operator
+roleRef:
+  kind: ClusterRole
+  name: memgraph-kubernetes-operator
+  apiGroup: rbac.authorization.k8s.io
diff --git a/config/rbac/service_account.yaml b/config/rbac/service_account.yaml
@@ -1,12 +1,4 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  labels:
-    app.kubernetes.io/name: serviceaccount
-    app.kubernetes.io/instance: controller-manager-sa
-    app.kubernetes.io/component: rbac
-    app.kubernetes.io/created-by: kubernetes-operator
-    app.kubernetes.io/part-of: kubernetes-operator
-    app.kubernetes.io/managed-by: kustomize
-  name: controller-manager
-  namespace: system
+  name: memgraph-kubernetes-operator