Grant Event creation permission clusterwide (instead of install names…

…pace) Signed-off-by: Jort Koopmans <[email protected]>
argoproj-labs · Sep 2, 2024 · d0c3300 · d0c3300
1 parent 234773c
commit d0c3300
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 7 deletions.
diff --git a/manifests/base/rbac/argocd-image-updater-clusterrole.yaml b/manifests/base/rbac/argocd-image-updater-clusterrole.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-image-updater
+    app.kubernetes.io/part-of: argocd-image-updater
+    app.kubernetes.io/component: controller
+  name: argocd-image-updater
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - events
+    verbs:
+      - create
diff --git a/manifests/base/rbac/argocd-image-updater-clusterrolebinding.yaml b/manifests/base/rbac/argocd-image-updater-clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: argocd-image-updater
+    app.kubernetes.io/part-of: argocd-image-updater
+    app.kubernetes.io/component: controller
+  name: argocd-image-updater
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-image-updater
+subjects:
+  - kind: ServiceAccount
+    name: argocd-image-updater
diff --git a/manifests/base/rbac/argocd-image-updater-role.yaml b/manifests/base/rbac/argocd-image-updater-role.yaml
@@ -25,10 +25,3 @@ rules:
       - list
       - update
       - patch
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-
diff --git a/manifests/base/rbac/kustomization.yaml b/manifests/base/rbac/kustomization.yaml
@@ -2,6 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - argocd-image-updater-clusterrole.yaml
+  - argocd-image-updater-clusterrolebinding.yaml
   - argocd-image-updater-role.yaml
   - argocd-image-updater-rolebinding.yaml
   - argocd-image-updater-sa.yaml
diff --git a/manifests/install.yaml b/manifests/install.yaml
@@ -34,6 +34,16 @@ rules:
   - list
   - update
   - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: argocd-image-updater
+    app.kubernetes.io/part-of: argocd-image-updater
+  name: argocd-image-updater
+rules:
 - apiGroups:
   - ""
   resources:
@@ -57,6 +67,22 @@ subjects:
 - kind: ServiceAccount
   name: argocd-image-updater
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/component: controller
+    app.kubernetes.io/name: argocd-image-updater
+    app.kubernetes.io/part-of: argocd-image-updater
+  name: argocd-image-updater
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: argocd-image-updater
+subjects:
+- kind: ServiceAccount
+  name: argocd-image-updater
+---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,10 +25,3 @@ rules: @@
           - list
           - update
           - patch
-      - apiGroups:
-          - ""
-        resources:
-          - events
-        verbs:
-          - create