Merge pull request #43 from zhiweiyin318/rename-role

rename clusterrole and clusterrolebinding
2026-05-20 08:04:52 +00:00 · 2020-07-02 18:37:13 -04:00
parent b499ad6e7b 57a1d98292
commit 50ad8efcfe
16 changed files with 36 additions and 80 deletions
--- a/manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml
+++ b/manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:open-cluster-management:{{ .ClusterManagerName }}
-subjects:
- kind: ServiceAccount
-  namespace: {{ .ClusterManagerNamespace }}
-  name: {{ .ClusterManagerName }}-sa
--- a/manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml
+++ b/manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller
 rules:
 # Allow hub to monitor and update status of csr
 - apiGroups: ["certificates.k8s.io"]
--- a/manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml
+++ b/manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml
@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller
 subjects:
 - kind: ServiceAccount
  namespace: {{ .ClusterManagerNamespace }}
--- a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml
+++ b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook
 rules:
 # Allow managedcluster admission to get/list/watch configmaps
 - apiGroups: [""]
--- a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrolebinding.yaml
+++ b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrolebinding.yaml
@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook
 subjects:
  - kind: ServiceAccount
    name: {{ .ClusterManagerName }}-registration-webhook-sa
--- a/manifests/klusterlet/klusterlet-registration-clusterrole.yaml
+++ b/manifests/klusterlet/klusterlet-registration-clusterrole.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 rules:
 # Allow agent to get/list/watch nodes.
 - apiGroups: [""]
--- a/manifests/klusterlet/klusterlet-registration-clusterrolebinding.yaml
+++ b/manifests/klusterlet/klusterlet-registration-clusterrolebinding.yaml
@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 subjects:
  - kind: ServiceAccount
    name: {{ .KlusterletName }}-registration-sa
--- a/manifests/klusterlet/klusterlet-registration-role.yaml
+++ b/manifests/klusterlet/klusterlet-registration-role.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
  namespace: {{ .KlusterletNamespace }}
 rules:
 - apiGroups: [""]
--- a/manifests/klusterlet/klusterlet-registration-rolebinding.yaml
+++ b/manifests/klusterlet/klusterlet-registration-rolebinding.yaml
@@ -1,12 +1,12 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
  namespace: {{ .KlusterletNamespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 subjects:
  - kind: ServiceAccount
    name: {{ .KlusterletName }}-registration-sa
--- a/manifests/klusterlet/klusterlet-work-clusterrole.yaml
+++ b/manifests/klusterlet/klusterlet-work-clusterrole.yaml
@@ -2,7 +2,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent
 rules:
 # Allow agent to get/list/watch/create/delete crds.
 - apiGroups: ["apiextensions.k8s.io"]
--- a/manifests/klusterlet/klusterlet-work-clusterrolebinding-addition.yaml
+++ b/manifests/klusterlet/klusterlet-work-clusterrolebinding-addition.yaml
@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent-addition
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent-addition
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent
 subjects:
  - kind: ServiceAccount
    name: {{ .KlusterletName }}-work-sa
--- a/manifests/klusterlet/klusterlet-work-clusterrolebinding.yaml
+++ b/manifests/klusterlet/klusterlet-work-clusterrolebinding.yaml
@@ -1,7 +1,7 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/pkg/operators/clustermanager/bindata/bindata.go
+++ b/pkg/operators/clustermanager/bindata/bindata.go
@@ -2,7 +2,6 @@
 // sources:
 // manifests/cluster-manager/0000_00_clusters.open-cluster-management.io_managedclusters.crd.yaml
 // manifests/cluster-manager/0000_00_work.open-cluster-management.io_manifestworks.crd.yaml
-// manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml
 // manifests/cluster-manager/cluster-manager-namespace.yaml
 // manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml
 // manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml
@@ -492,35 +491,6 @@ func manifestsClusterManager0000_00_workOpenClusterManagementIo_manifestworksCrd
 	return a, nil
 }

-var _manifestsClusterManagerClusterManagerClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:open-cluster-management:{{ .ClusterManagerName }}
-subjects:
- kind: ServiceAccount
-  namespace: {{ .ClusterManagerNamespace }}
-  name: {{ .ClusterManagerName }}-sa
-`)
-
-func manifestsClusterManagerClusterManagerClusterrolebindingYamlBytes() ([]byte, error) {
-	return _manifestsClusterManagerClusterManagerClusterrolebindingYaml, nil
-}
-
-func manifestsClusterManagerClusterManagerClusterrolebindingYaml() (*asset, error) {
-	bytes, err := manifestsClusterManagerClusterManagerClusterrolebindingYamlBytes()
-	if err != nil {
-		return nil, err
-	}
-
-	info := bindataFileInfo{name: "manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
-	a := &asset{bytes: bytes, info: info}
-	return a, nil
-}
-
 var _manifestsClusterManagerClusterManagerNamespaceYaml = []byte(`apiVersion: v1
 kind: Namespace
 metadata:
@@ -545,7 +515,7 @@ func manifestsClusterManagerClusterManagerNamespaceYaml() (*asset, error) {
 var _manifestsClusterManagerClusterManagerRegistrationClusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller
 rules:
 # Allow hub to monitor and update status of csr
 - apiGroups: ["certificates.k8s.io"]
@@ -606,11 +576,11 @@ func manifestsClusterManagerClusterManagerRegistrationClusterroleYaml() (*asset,
 var _manifestsClusterManagerClusterManagerRegistrationClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller
 subjects:
 - kind: ServiceAccount
  namespace: {{ .ClusterManagerNamespace }}
@@ -767,7 +737,7 @@ func manifestsClusterManagerClusterManagerRegistrationWebhookApiserviceYaml() (*
 var _manifestsClusterManagerClusterManagerRegistrationWebhookClusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook
 rules:
 # Allow managedcluster admission to get/list/watch configmaps
 - apiGroups: [""]
@@ -797,11 +767,11 @@ func manifestsClusterManagerClusterManagerRegistrationWebhookClusterroleYaml() (
 var _manifestsClusterManagerClusterManagerRegistrationWebhookClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook
+  name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook
 subjects:
  - kind: ServiceAccount
    name: {{ .ClusterManagerName }}-registration-webhook-sa
@@ -1089,7 +1059,6 @@ func AssetNames() []string {
 var _bindata = map[string]func() (*asset, error){
 	"manifests/cluster-manager/0000_00_clusters.open-cluster-management.io_managedclusters.crd.yaml": manifestsClusterManager0000_00_clustersOpenClusterManagementIo_managedclustersCrdYaml,
 	"manifests/cluster-manager/0000_00_work.open-cluster-management.io_manifestworks.crd.yaml":       manifestsClusterManager0000_00_workOpenClusterManagementIo_manifestworksCrdYaml,
-	"manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml":                              manifestsClusterManagerClusterManagerClusterrolebindingYaml,
 	"manifests/cluster-manager/cluster-manager-namespace.yaml":                                       manifestsClusterManagerClusterManagerNamespaceYaml,
 	"manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml":                        manifestsClusterManagerClusterManagerRegistrationClusterroleYaml,
 	"manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml":                 manifestsClusterManagerClusterManagerRegistrationClusterrolebindingYaml,
@@ -1150,7 +1119,6 @@ var _bintree = &bintree{nil, map[string]*bintree{
 		"cluster-manager": {nil, map[string]*bintree{
 			"0000_00_clusters.open-cluster-management.io_managedclusters.crd.yaml": {manifestsClusterManager0000_00_clustersOpenClusterManagementIo_managedclustersCrdYaml, map[string]*bintree{}},
 			"0000_00_work.open-cluster-management.io_manifestworks.crd.yaml":       {manifestsClusterManager0000_00_workOpenClusterManagementIo_manifestworksCrdYaml, map[string]*bintree{}},
-			"cluster-manager-clusterrolebinding.yaml":                              {manifestsClusterManagerClusterManagerClusterrolebindingYaml, map[string]*bintree{}},
 			"cluster-manager-namespace.yaml":                                       {manifestsClusterManagerClusterManagerNamespaceYaml, map[string]*bintree{}},
 			"cluster-manager-registration-clusterrole.yaml":                        {manifestsClusterManagerClusterManagerRegistrationClusterroleYaml, map[string]*bintree{}},
 			"cluster-manager-registration-clusterrolebinding.yaml":                 {manifestsClusterManagerClusterManagerRegistrationClusterrolebindingYaml, map[string]*bintree{}},
--- a/pkg/operators/klusterlet/bindata/bindata.go
+++ b/pkg/operators/klusterlet/bindata/bindata.go
@@ -68,7 +68,7 @@ var _manifestsKlusterletKlusterletRegistrationClusterroleYaml = []byte(`# Cluste
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 rules:
 # Allow agent to get/list/watch nodes.
 - apiGroups: [""]
@@ -97,11 +97,11 @@ func manifestsKlusterletKlusterletRegistrationClusterroleYaml() (*asset, error)
 var _manifestsKlusterletKlusterletRegistrationClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 subjects:
  - kind: ServiceAccount
    name: {{ .KlusterletName }}-registration-sa
@@ -226,7 +226,7 @@ var _manifestsKlusterletKlusterletRegistrationRoleYaml = []byte(`# Role for regi
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
  namespace: {{ .KlusterletNamespace }}
 rules:
 - apiGroups: [""]
@@ -255,12 +255,12 @@ func manifestsKlusterletKlusterletRegistrationRoleYaml() (*asset, error) {
 var _manifestsKlusterletKlusterletRegistrationRolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
  namespace: {{ .KlusterletNamespace }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
-  name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent
+  name: open-cluster-management:{{ .KlusterletName }}-registration:agent
 subjects:
  - kind: ServiceAccount
    name: {{ .KlusterletName }}-registration-sa
@@ -308,7 +308,7 @@ var _manifestsKlusterletKlusterletWorkClusterroleYaml = []byte(`# Clusterrole fo
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent
 rules:
 # Allow agent to get/list/watch/create/delete crds.
 - apiGroups: ["apiextensions.k8s.io"]
@@ -353,11 +353,11 @@ func manifestsKlusterletKlusterletWorkClusterroleYaml() (*asset, error) {
 var _manifestsKlusterletKlusterletWorkClusterrolebindingAdditionYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent-addition
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent-addition
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent
 subjects:
  - kind: ServiceAccount
    name: {{ .KlusterletName }}-work-sa
@@ -382,7 +382,7 @@ func manifestsKlusterletKlusterletWorkClusterrolebindingAdditionYaml() (*asset,
 var _manifestsKlusterletKlusterletWorkClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: system:open-cluster-management:{{ .KlusterletName }}-work-agent
+  name: open-cluster-management:{{ .KlusterletName }}-work:agent
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
--- a/test/integration/clustermanager_test.go
+++ b/test/integration/clustermanager_test.go
@@ -52,8 +52,8 @@ var _ = ginkgo.Describe("ClusterManager", func() {
 			}, eventuallyTimeout, eventuallyInterval).Should(gomega.BeTrue())

 			// Check clusterrole/clusterrolebinding
-			hubRegistrationClusterRole := fmt.Sprintf("system:open-cluster-management:%s-registration-controller", clusterManagerName)
-			hubWebhookClusterRole := fmt.Sprintf("system:open-cluster-management:%s-registration-webhook", clusterManagerName)
+			hubRegistrationClusterRole := fmt.Sprintf("open-cluster-management:%s-registration:controller", clusterManagerName)
+			hubWebhookClusterRole := fmt.Sprintf("open-cluster-management:%s-registration:webhook", clusterManagerName)
 			gomega.Eventually(func() bool {
 				if _, err := kubeClient.RbacV1().ClusterRoles().Get(context.Background(), hubRegistrationClusterRole, metav1.GetOptions{}); err != nil {
 					return false
--- a/test/integration/klusterlet_test.go
+++ b/test/integration/klusterlet_test.go
@@ -86,8 +86,8 @@ var _ = ginkgo.Describe("Klusterlet", func() {
 		ginkgo.BeforeEach(func() {
 			registrationDeploymentName = fmt.Sprintf("%s-registration-agent", klusterlet.Name)
 			workDeploymentName = fmt.Sprintf("%s-work-agent", klusterlet.Name)
-			registrationRoleName = fmt.Sprintf("system:open-cluster-management:%s", registrationDeploymentName)
-			workRoleName = fmt.Sprintf("system:open-cluster-management:%s", workDeploymentName)
+			registrationRoleName = fmt.Sprintf("open-cluster-management:%s-registration:agent", klusterlet.Name)
+			workRoleName = fmt.Sprintf("open-cluster-management:%s-work:agent", klusterlet.Name)
 			registrationSAName = fmt.Sprintf("%s-registration-sa", klusterlet.Name)
 			workSAName = fmt.Sprintf("%s-work-sa", klusterlet.Name)
 		})