diff --git a/manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml b/manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml deleted file mode 100644 index dc2a97f5c..000000000 --- a/manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:open-cluster-management:{{ .ClusterManagerName }} -subjects: -- kind: ServiceAccount - namespace: {{ .ClusterManagerNamespace }} - name: {{ .ClusterManagerName }}-sa diff --git a/manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml b/manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml index 47ed472bf..b9fc4c874 100644 --- a/manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml +++ b/manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller + name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller rules: # Allow hub to monitor and update status of csr - apiGroups: ["certificates.k8s.io"] diff --git a/manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml b/manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml index 2869c9cb3..3d06e737e 100644 --- a/manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml +++ b/manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller + name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller + name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller subjects: - kind: ServiceAccount namespace: {{ .ClusterManagerNamespace }} diff --git a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml index f53731aa0..9199e5a7b 100644 --- a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml +++ b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrole.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook + name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook rules: # Allow managedcluster admission to get/list/watch configmaps - apiGroups: [""] diff --git a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrolebinding.yaml b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrolebinding.yaml index 9535ecbc3..8377e39f5 100644 --- a/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrolebinding.yaml +++ b/manifests/cluster-manager/cluster-manager-registration-webhook-clusterrolebinding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook + name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook + name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook subjects: - kind: ServiceAccount name: {{ .ClusterManagerName }}-registration-webhook-sa diff --git a/manifests/klusterlet/klusterlet-registration-clusterrole.yaml b/manifests/klusterlet/klusterlet-registration-clusterrole.yaml index 71e9ba4c9..83a9b4195 100644 --- a/manifests/klusterlet/klusterlet-registration-clusterrole.yaml +++ b/manifests/klusterlet/klusterlet-registration-clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent rules: # Allow agent to get/list/watch nodes. - apiGroups: [""] diff --git a/manifests/klusterlet/klusterlet-registration-clusterrolebinding.yaml b/manifests/klusterlet/klusterlet-registration-clusterrolebinding.yaml index 4aecf70ff..91e45e24f 100644 --- a/manifests/klusterlet/klusterlet-registration-clusterrolebinding.yaml +++ b/manifests/klusterlet/klusterlet-registration-clusterrolebinding.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent subjects: - kind: ServiceAccount name: {{ .KlusterletName }}-registration-sa diff --git a/manifests/klusterlet/klusterlet-registration-role.yaml b/manifests/klusterlet/klusterlet-registration-role.yaml index 31acc4a5c..de759a721 100644 --- a/manifests/klusterlet/klusterlet-registration-role.yaml +++ b/manifests/klusterlet/klusterlet-registration-role.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent namespace: {{ .KlusterletNamespace }} rules: - apiGroups: [""] diff --git a/manifests/klusterlet/klusterlet-registration-rolebinding.yaml b/manifests/klusterlet/klusterlet-registration-rolebinding.yaml index 8f64bb9de..e9db672f7 100644 --- a/manifests/klusterlet/klusterlet-registration-rolebinding.yaml +++ b/manifests/klusterlet/klusterlet-registration-rolebinding.yaml @@ -1,12 +1,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent namespace: {{ .KlusterletNamespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent subjects: - kind: ServiceAccount name: {{ .KlusterletName }}-registration-sa diff --git a/manifests/klusterlet/klusterlet-work-clusterrole.yaml b/manifests/klusterlet/klusterlet-work-clusterrole.yaml index f9555f61f..5bef927a3 100644 --- a/manifests/klusterlet/klusterlet-work-clusterrole.yaml +++ b/manifests/klusterlet/klusterlet-work-clusterrole.yaml @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent + name: open-cluster-management:{{ .KlusterletName }}-work:agent rules: # Allow agent to get/list/watch/create/delete crds. - apiGroups: ["apiextensions.k8s.io"] diff --git a/manifests/klusterlet/klusterlet-work-clusterrolebinding-addition.yaml b/manifests/klusterlet/klusterlet-work-clusterrolebinding-addition.yaml index 6594854cd..e76d3da1e 100644 --- a/manifests/klusterlet/klusterlet-work-clusterrolebinding-addition.yaml +++ b/manifests/klusterlet/klusterlet-work-clusterrolebinding-addition.yaml @@ -1,11 +1,11 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent-addition + name: open-cluster-management:{{ .KlusterletName }}-work:agent-addition roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent + name: open-cluster-management:{{ .KlusterletName }}-work:agent subjects: - kind: ServiceAccount name: {{ .KlusterletName }}-work-sa diff --git a/manifests/klusterlet/klusterlet-work-clusterrolebinding.yaml b/manifests/klusterlet/klusterlet-work-clusterrolebinding.yaml index 0de0ebb77..561f162f2 100644 --- a/manifests/klusterlet/klusterlet-work-clusterrolebinding.yaml +++ b/manifests/klusterlet/klusterlet-work-clusterrolebinding.yaml @@ -1,7 +1,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent + name: open-cluster-management:{{ .KlusterletName }}-work:agent roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/pkg/operators/clustermanager/bindata/bindata.go b/pkg/operators/clustermanager/bindata/bindata.go index bc8bc5ff0..1faef423b 100644 --- a/pkg/operators/clustermanager/bindata/bindata.go +++ b/pkg/operators/clustermanager/bindata/bindata.go @@ -2,7 +2,6 @@ // sources: // manifests/cluster-manager/0000_00_clusters.open-cluster-management.io_managedclusters.crd.yaml // manifests/cluster-manager/0000_00_work.open-cluster-management.io_manifestworks.crd.yaml -// manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml // manifests/cluster-manager/cluster-manager-namespace.yaml // manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml // manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml @@ -492,35 +491,6 @@ func manifestsClusterManager0000_00_workOpenClusterManagementIo_manifestworksCrd return a, nil } -var _manifestsClusterManagerClusterManagerClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: system:open-cluster-management:{{ .ClusterManagerName }} -subjects: -- kind: ServiceAccount - namespace: {{ .ClusterManagerNamespace }} - name: {{ .ClusterManagerName }}-sa -`) - -func manifestsClusterManagerClusterManagerClusterrolebindingYamlBytes() ([]byte, error) { - return _manifestsClusterManagerClusterManagerClusterrolebindingYaml, nil -} - -func manifestsClusterManagerClusterManagerClusterrolebindingYaml() (*asset, error) { - bytes, err := manifestsClusterManagerClusterManagerClusterrolebindingYamlBytes() - if err != nil { - return nil, err - } - - info := bindataFileInfo{name: "manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)} - a := &asset{bytes: bytes, info: info} - return a, nil -} - var _manifestsClusterManagerClusterManagerNamespaceYaml = []byte(`apiVersion: v1 kind: Namespace metadata: @@ -545,7 +515,7 @@ func manifestsClusterManagerClusterManagerNamespaceYaml() (*asset, error) { var _manifestsClusterManagerClusterManagerRegistrationClusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller + name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller rules: # Allow hub to monitor and update status of csr - apiGroups: ["certificates.k8s.io"] @@ -606,11 +576,11 @@ func manifestsClusterManagerClusterManagerRegistrationClusterroleYaml() (*asset, var _manifestsClusterManagerClusterManagerRegistrationClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller + name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-controller + name: open-cluster-management:{{ .ClusterManagerName }}-registration:controller subjects: - kind: ServiceAccount namespace: {{ .ClusterManagerNamespace }} @@ -767,7 +737,7 @@ func manifestsClusterManagerClusterManagerRegistrationWebhookApiserviceYaml() (* var _manifestsClusterManagerClusterManagerRegistrationWebhookClusterroleYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook + name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook rules: # Allow managedcluster admission to get/list/watch configmaps - apiGroups: [""] @@ -797,11 +767,11 @@ func manifestsClusterManagerClusterManagerRegistrationWebhookClusterroleYaml() ( var _manifestsClusterManagerClusterManagerRegistrationWebhookClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook + name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .ClusterManagerName }}-registration-webhook + name: open-cluster-management:{{ .ClusterManagerName }}-registration:webhook subjects: - kind: ServiceAccount name: {{ .ClusterManagerName }}-registration-webhook-sa @@ -1089,7 +1059,6 @@ func AssetNames() []string { var _bindata = map[string]func() (*asset, error){ "manifests/cluster-manager/0000_00_clusters.open-cluster-management.io_managedclusters.crd.yaml": manifestsClusterManager0000_00_clustersOpenClusterManagementIo_managedclustersCrdYaml, "manifests/cluster-manager/0000_00_work.open-cluster-management.io_manifestworks.crd.yaml": manifestsClusterManager0000_00_workOpenClusterManagementIo_manifestworksCrdYaml, - "manifests/cluster-manager/cluster-manager-clusterrolebinding.yaml": manifestsClusterManagerClusterManagerClusterrolebindingYaml, "manifests/cluster-manager/cluster-manager-namespace.yaml": manifestsClusterManagerClusterManagerNamespaceYaml, "manifests/cluster-manager/cluster-manager-registration-clusterrole.yaml": manifestsClusterManagerClusterManagerRegistrationClusterroleYaml, "manifests/cluster-manager/cluster-manager-registration-clusterrolebinding.yaml": manifestsClusterManagerClusterManagerRegistrationClusterrolebindingYaml, @@ -1150,7 +1119,6 @@ var _bintree = &bintree{nil, map[string]*bintree{ "cluster-manager": {nil, map[string]*bintree{ "0000_00_clusters.open-cluster-management.io_managedclusters.crd.yaml": {manifestsClusterManager0000_00_clustersOpenClusterManagementIo_managedclustersCrdYaml, map[string]*bintree{}}, "0000_00_work.open-cluster-management.io_manifestworks.crd.yaml": {manifestsClusterManager0000_00_workOpenClusterManagementIo_manifestworksCrdYaml, map[string]*bintree{}}, - "cluster-manager-clusterrolebinding.yaml": {manifestsClusterManagerClusterManagerClusterrolebindingYaml, map[string]*bintree{}}, "cluster-manager-namespace.yaml": {manifestsClusterManagerClusterManagerNamespaceYaml, map[string]*bintree{}}, "cluster-manager-registration-clusterrole.yaml": {manifestsClusterManagerClusterManagerRegistrationClusterroleYaml, map[string]*bintree{}}, "cluster-manager-registration-clusterrolebinding.yaml": {manifestsClusterManagerClusterManagerRegistrationClusterrolebindingYaml, map[string]*bintree{}}, diff --git a/pkg/operators/klusterlet/bindata/bindata.go b/pkg/operators/klusterlet/bindata/bindata.go index 1e7408d48..775661f74 100644 --- a/pkg/operators/klusterlet/bindata/bindata.go +++ b/pkg/operators/klusterlet/bindata/bindata.go @@ -68,7 +68,7 @@ var _manifestsKlusterletKlusterletRegistrationClusterroleYaml = []byte(`# Cluste apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent rules: # Allow agent to get/list/watch nodes. - apiGroups: [""] @@ -97,11 +97,11 @@ func manifestsKlusterletKlusterletRegistrationClusterroleYaml() (*asset, error) var _manifestsKlusterletKlusterletRegistrationClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent subjects: - kind: ServiceAccount name: {{ .KlusterletName }}-registration-sa @@ -226,7 +226,7 @@ var _manifestsKlusterletKlusterletRegistrationRoleYaml = []byte(`# Role for regi apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent namespace: {{ .KlusterletNamespace }} rules: - apiGroups: [""] @@ -255,12 +255,12 @@ func manifestsKlusterletKlusterletRegistrationRoleYaml() (*asset, error) { var _manifestsKlusterletKlusterletRegistrationRolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent namespace: {{ .KlusterletNamespace }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: system:open-cluster-management:{{ .KlusterletName }}-registration-agent + name: open-cluster-management:{{ .KlusterletName }}-registration:agent subjects: - kind: ServiceAccount name: {{ .KlusterletName }}-registration-sa @@ -308,7 +308,7 @@ var _manifestsKlusterletKlusterletWorkClusterroleYaml = []byte(`# Clusterrole fo apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent + name: open-cluster-management:{{ .KlusterletName }}-work:agent rules: # Allow agent to get/list/watch/create/delete crds. - apiGroups: ["apiextensions.k8s.io"] @@ -353,11 +353,11 @@ func manifestsKlusterletKlusterletWorkClusterroleYaml() (*asset, error) { var _manifestsKlusterletKlusterletWorkClusterrolebindingAdditionYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent-addition + name: open-cluster-management:{{ .KlusterletName }}-work:agent-addition roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent + name: open-cluster-management:{{ .KlusterletName }}-work:agent subjects: - kind: ServiceAccount name: {{ .KlusterletName }}-work-sa @@ -382,7 +382,7 @@ func manifestsKlusterletKlusterletWorkClusterrolebindingAdditionYaml() (*asset, var _manifestsKlusterletKlusterletWorkClusterrolebindingYaml = []byte(`apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: system:open-cluster-management:{{ .KlusterletName }}-work-agent + name: open-cluster-management:{{ .KlusterletName }}-work:agent roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/test/integration/clustermanager_test.go b/test/integration/clustermanager_test.go index 7d1d02c01..7f76f3a56 100644 --- a/test/integration/clustermanager_test.go +++ b/test/integration/clustermanager_test.go @@ -52,8 +52,8 @@ var _ = ginkgo.Describe("ClusterManager", func() { }, eventuallyTimeout, eventuallyInterval).Should(gomega.BeTrue()) // Check clusterrole/clusterrolebinding - hubRegistrationClusterRole := fmt.Sprintf("system:open-cluster-management:%s-registration-controller", clusterManagerName) - hubWebhookClusterRole := fmt.Sprintf("system:open-cluster-management:%s-registration-webhook", clusterManagerName) + hubRegistrationClusterRole := fmt.Sprintf("open-cluster-management:%s-registration:controller", clusterManagerName) + hubWebhookClusterRole := fmt.Sprintf("open-cluster-management:%s-registration:webhook", clusterManagerName) gomega.Eventually(func() bool { if _, err := kubeClient.RbacV1().ClusterRoles().Get(context.Background(), hubRegistrationClusterRole, metav1.GetOptions{}); err != nil { return false diff --git a/test/integration/klusterlet_test.go b/test/integration/klusterlet_test.go index e50b3a4c6..e5257fa47 100644 --- a/test/integration/klusterlet_test.go +++ b/test/integration/klusterlet_test.go @@ -86,8 +86,8 @@ var _ = ginkgo.Describe("Klusterlet", func() { ginkgo.BeforeEach(func() { registrationDeploymentName = fmt.Sprintf("%s-registration-agent", klusterlet.Name) workDeploymentName = fmt.Sprintf("%s-work-agent", klusterlet.Name) - registrationRoleName = fmt.Sprintf("system:open-cluster-management:%s", registrationDeploymentName) - workRoleName = fmt.Sprintf("system:open-cluster-management:%s", workDeploymentName) + registrationRoleName = fmt.Sprintf("open-cluster-management:%s-registration:agent", klusterlet.Name) + workRoleName = fmt.Sprintf("open-cluster-management:%s-work:agent", klusterlet.Name) registrationSAName = fmt.Sprintf("%s-registration-sa", klusterlet.Name) workSAName = fmt.Sprintf("%s-work-sa", klusterlet.Name) })