Skip to content

Commit

Permalink
kustomize: use separate ServiceAccount for Quay app pods (PROJQUAY-1909)
Browse files Browse the repository at this point in the history 
The Quay app pods will use their own ServiceAccount, rather than
the default one in the namespace. This allows modifying permissions
using SecurityContextConstraints without affecting other pods in
the namespace.

Signed-off-by: Alec Merdler <alecmerdler@gmail.com>
  • Loading branch information
@alecmerdler
alecmerdler committed Apr 20, 2021
1 parent 007de38 commit 51859ca
Show file tree
Hide file tree
Showing 6 changed files with 7 additions and 47 deletions.
3 changes: 1 addition & 2 deletions kustomize/base/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@ kind: Kustomization
commonLabels:
app: quay
resources:
- ./quay.role.yaml
- ./quay.rolebinding.yaml
- ./quay.serviceaccount.yaml
- ./quay.deployment.yaml
- ./quay.service.yaml
- ./upgrade.deployment.yaml
Expand Down
1 change: 1 addition & 0 deletions kustomize/base/quay.deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ spec:
labels:
quay-component: quay-app
spec:
serviceAccountName: quay-app
volumes:
- name: configvolume
secret:
Expand Down
31 changes: 0 additions & 31 deletions kustomize/base/quay.role.yaml
View file

This file was deleted.

11 changes: 0 additions & 11 deletions kustomize/base/quay.rolebinding.yaml
View file

This file was deleted.

4 changes: 4 additions & 0 deletions kustomize/base/quay.serviceaccount.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: quay-app
4 changes: 1 addition & 3 deletions pkg/kustomize/kustomize_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ import (
appsv1 "k8s.io/api/apps/v1"
batchv1 "k8s.io/api/batch/v1"
corev1 "k8s.io/api/core/v1"
rbac "k8s.io/api/rbac/v1beta1"
"k8s.io/apimachinery/pkg/api/meta"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
Expand Down Expand Up @@ -205,8 +204,6 @@ func TestFlattenSecret(t *testing.T) {

var quayComponents = map[string][]client.Object{
"base": {
&rbac.Role{ObjectMeta: metav1.ObjectMeta{Name: "quay-serviceaccount"}},
&rbac.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: "quay-secret-writer"}},
&appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "quay-app"}},
&appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "quay-app-upgrade"}},
&appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: "quay-config-editor"}},
Expand All @@ -216,6 +213,7 @@ var quayComponents = map[string][]client.Object{
&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "cluster-service-ca"}},
&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "quay-config-editor-credentials"}},
&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "quay-registry-managed-secret-keys"}},
&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "quay-app"}},
},
"clair": {
&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "clair-config-secret"}},
Expand Down

0 comments on commit 51859ca

Please sign in to comment.