refactor(apps): Rework flux reconciler permissions

This patch removes the custom reconciler role and replaces it with the general admin ClusterRole, this helps to restrict access to only the save namespace resources.

refactor(apps): Rework flux reconciler permissions
2564bd3d · Sheogorath · 27ef2bfb · 2564bd3d · 2564bd3d · 2564bd3d
Verified Commit 2564bd3d authored 2 years ago by Sheogorath
--- a/apps/base/forecastle/namespace.yaml
+++ b/apps/base/forecastle/namespace.yaml
@@ -17,24 +17,14 @@ metadata:
  namespace: forecastle
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: forecastle-reconciler
-  namespace: forecastle
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: forecastle-reconciler
  namespace: forecastle
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: forecastle-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: forecastle-reconciler

--- a/apps/base/gitlab-runner/namespace.yaml
+++ b/apps/base/gitlab-runner/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
  namespace: gitlab-runner
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: gitlab-runner-reconciler
-  namespace: gitlab-runner
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: gitlab-runner-reconciler
  namespace: gitlab-runner
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: gitlab-runner-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: gitlab-runner-reconciler

--- a/apps/base/goharbor/namespace.yaml
+++ b/apps/base/goharbor/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
  namespace: goharbor
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: goharbor
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: flux-reconciler
  namespace: goharbor
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: flux-reconciler

--- a/apps/base/keycloak/namespace.yaml
+++ b/apps/base/keycloak/namespace.yaml
@@ -10,24 +10,14 @@ metadata:
  namespace: keycloak
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: keycloak-reconciler
-  namespace: keycloak
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: keycloak-reconciler
  namespace: keycloak
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: keycloak-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: keycloak-reconciler

--- a/apps/base/mail/namespace.yaml
+++ b/apps/base/mail/namespace.yaml
@@ -10,24 +10,14 @@ metadata:
  namespace: mail
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: mail
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: flux-reconciler
  namespace: mail
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: flux-reconciler

--- a/apps/base/matrix/namespace.yaml
+++ b/apps/base/matrix/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
  namespace: matrix
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: matrix-reconciler
-  namespace: matrix
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: matrix-reconciler
  namespace: matrix
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: matrix-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: matrix-reconciler

--- a/apps/base/nextcloud/namespace.yaml
+++ b/apps/base/nextcloud/namespace.yaml
@@ -12,24 +12,14 @@ metadata:
  namespace: nextcloud
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: nextcloud-reconciler
-  namespace: nextcloud
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: nextcloud-reconciler
  namespace: nextcloud
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: nextcloud-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: nextcloud-reconciler

--- a/apps/base/renovate/namespace.yaml
+++ b/apps/base/renovate/namespace.yaml
@@ -17,24 +17,14 @@ metadata:
  namespace: renovate
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: flux-reconciler
-  namespace: renovate
-rules:
-  - apiGroups: ["*"]
-    resources: ["*"]
-    verbs: ["*"]
---
-apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: flux-reconciler
  namespace: renovate
 roleRef:
  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: flux-reconciler
+  kind: ClusterRole
+  name: admin
 subjects:
  - kind: ServiceAccount
    name: flux-reconciler