From e69e997ba8592c8a0cf7801207f1e0136e882bb0 Mon Sep 17 00:00:00 2001 From: Ho Kim Date: Mon, 29 Aug 2022 02:33:45 +0000 Subject: [PATCH] Apply serviceAccounts to deployments --- templates/kiss/kiss-controller.yaml | 65 +++++++++++++++++++++++++++++ templates/kiss/kiss-monitor.yaml | 1 + templates/kiss/namespace.yaml | 12 ++++++ 3 files changed, 78 insertions(+) diff --git a/templates/kiss/kiss-controller.yaml b/templates/kiss/kiss-controller.yaml index 8dda740c..ebd09aac 100644 --- a/templates/kiss/kiss-controller.yaml +++ b/templates/kiss/kiss-controller.yaml @@ -1,4 +1,68 @@ --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kiss-controller + namespace: kiss +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kiss-controller-ansible-playbook + namespace: kiss +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ansible-playbook +subjects: + - apiGroup: "" + kind: ServiceAccount + name: kiss-controller + namespace: kiss +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kiss-controller + namespace: kiss +rules: + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kiss-controller + namespace: kiss +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kiss-controller +subjects: + - apiGroup: "" + kind: ServiceAccount + name: kiss-controller + namespace: kiss +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kiss-controller-ansible-playbook + namespace: kiss +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ansible-playbook +subjects: + - apiGroup: "" + kind: ServiceAccount + name: kiss-controller + namespace: kiss +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -21,6 +85,7 @@ spec: securityContext: seccompProfile: type: RuntimeDefault + serviceAccount: kiss-controller containers: - name: controller image: ghcr.io/ulagbulag-village/netai-cloud:master diff --git a/templates/kiss/kiss-monitor.yaml b/templates/kiss/kiss-monitor.yaml index aaf68002..3a53eb5f 100644 --- a/templates/kiss/kiss-monitor.yaml +++ b/templates/kiss/kiss-monitor.yaml @@ -21,6 +21,7 @@ spec: securityContext: seccompProfile: type: RuntimeDefault + serviceAccount: kiss-controller containers: - name: monitor image: ghcr.io/ulagbulag-village/netai-cloud:master diff --git a/templates/kiss/namespace.yaml b/templates/kiss/namespace.yaml index 32ce5167..50fa39d5 100644 --- a/templates/kiss/namespace.yaml +++ b/templates/kiss/namespace.yaml @@ -14,6 +14,10 @@ spec: policyTypes: - Ingress - Egress + egress: + - to: + - ipBlock: + cidr: 169.254.0.0/16 # nodelocaldns --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -28,8 +32,12 @@ spec: - Egress egress: - to: + - ipBlock: + cidr: 10.0.0.0/11 - ipBlock: cidr: 10.32.0.0/12 + - ipBlock: + cidr: 10.112.0.0/12 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -49,6 +57,10 @@ spec: cidr: 10.32.0.0/12 - ipBlock: cidr: 0.0.0.0/0 # TODO: disable it when kiss is deployed + egress: + - to: + - ipBlock: + cidr: 10.0.0.0/8 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy