Apply serviceAccounts to deployments

ulagbulag · Aug 29, 2022 · e69e997 · e69e997
1 parent 483a40b
commit e69e997
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 0 deletions.
diff --git a/templates/kiss/kiss-controller.yaml b/templates/kiss/kiss-controller.yaml
@@ -1,4 +1,68 @@
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kiss-controller
+  namespace: kiss
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kiss-controller-ansible-playbook
+  namespace: kiss
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ansible-playbook
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: kiss-controller
+    namespace: kiss
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kiss-controller
+  namespace: kiss
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kiss-controller
+  namespace: kiss
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kiss-controller
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: kiss-controller
+    namespace: kiss
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kiss-controller-ansible-playbook
+  namespace: kiss
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ansible-playbook
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: kiss-controller
+    namespace: kiss
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -21,6 +85,7 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+      serviceAccount: kiss-controller
       containers:
         - name: controller
           image: ghcr.io/ulagbulag-village/netai-cloud:master

diff --git a/templates/kiss/kiss-monitor.yaml b/templates/kiss/kiss-monitor.yaml
@@ -21,6 +21,7 @@ spec:
       securityContext:
         seccompProfile:
           type: RuntimeDefault
+      serviceAccount: kiss-controller
       containers:
         - name: monitor
           image: ghcr.io/ulagbulag-village/netai-cloud:master

diff --git a/templates/kiss/namespace.yaml b/templates/kiss/namespace.yaml
@@ -14,6 +14,10 @@ spec:
   policyTypes:
     - Ingress
     - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 169.254.0.0/16 # nodelocaldns
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -28,8 +32,12 @@ spec:
     - Egress
   egress:
     - to:
+        - ipBlock:
+            cidr: 10.0.0.0/11
         - ipBlock:
             cidr: 10.32.0.0/12
+        - ipBlock:
+            cidr: 10.112.0.0/12
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
@@ -49,6 +57,10 @@ spec:
             cidr: 10.32.0.0/12
         - ipBlock:
             cidr: 0.0.0.0/0 # TODO: disable it when kiss is deployed
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 10.0.0.0/8
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy