aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHuabing Zhao <zhaohuabing@gmail.com>2018-08-08 06:27:37 +0000
committerHuabing Zhao <zhaohuabing@gmail.com>2018-08-08 06:27:48 +0000
commit8f7cc81cea39dd84d1544563d7c1c053bc0ce19d (patch)
treea5e57526a8e71afd5aa1c7d36a6ccf5dbc3bbb92
parent69eec44c775060de6fc84220dd5a90c81c211725 (diff)
Create Service Account for MSB
Use a none default service account for MSB, so we can have different Istio auth policy for different service Issue-ID: MSB-272 Change-Id: I38372660ab2787f9ee0b1b50d353ff0aee4a0246 Signed-off-by: Huabing Zhao <zhaohuabing@gmail.com>
-rw-r--r--kubernetes/msb/charts/kube2msb/templates/deployment.yaml1
-rw-r--r--kubernetes/msb/charts/msb-consul/templates/deployment.yaml1
-rw-r--r--kubernetes/msb/charts/msb-discovery/templates/deployment.yaml1
-rw-r--r--kubernetes/msb/charts/msb-eag/templates/deployment.yaml1
-rw-r--r--kubernetes/msb/charts/msb-iag/templates/deployment.yaml1
-rw-r--r--kubernetes/msb/templates/serviceaccout.yaml37
6 files changed, 42 insertions, 0 deletions
diff --git a/kubernetes/msb/charts/kube2msb/templates/deployment.yaml b/kubernetes/msb/charts/kube2msb/templates/deployment.yaml
index c9911eb036..78361a7a71 100644
--- a/kubernetes/msb/charts/kube2msb/templates/deployment.yaml
+++ b/kubernetes/msb/charts/kube2msb/templates/deployment.yaml
@@ -18,6 +18,7 @@ spec:
annotations:
sidecar.istio.io/inject: "{{.Values.istioSidecar}}"
spec:
+ serviceAccountName: msb
initContainers:
- command:
- /root/ready.py
diff --git a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml
index 09a3d8f470..fb3a90aeae 100644
--- a/kubernetes/msb/charts/msb-consul/templates/deployment.yaml
+++ b/kubernetes/msb/charts/msb-consul/templates/deployment.yaml
@@ -18,6 +18,7 @@ spec:
annotations:
sidecar.istio.io/inject: "{{.Values.istioSidecar}}"
spec:
+ serviceAccountName: msb
containers:
- name: {{ include "common.name" . }}
image: "{{ .Values.global.dockerHubRepository | default .Values.dockerHubRepository }}/{{ .Values.image }}"
diff --git a/kubernetes/msb/charts/msb-discovery/templates/deployment.yaml b/kubernetes/msb/charts/msb-discovery/templates/deployment.yaml
index 967e0e9bb7..c7337b3791 100644
--- a/kubernetes/msb/charts/msb-discovery/templates/deployment.yaml
+++ b/kubernetes/msb/charts/msb-discovery/templates/deployment.yaml
@@ -18,6 +18,7 @@ spec:
annotations:
sidecar.istio.io/inject: "{{.Values.istioSidecar}}"
spec:
+ serviceAccountName: msb
initContainers:
- command:
- /root/ready.py
diff --git a/kubernetes/msb/charts/msb-eag/templates/deployment.yaml b/kubernetes/msb/charts/msb-eag/templates/deployment.yaml
index 31bb2c96c8..9b7d556020 100644
--- a/kubernetes/msb/charts/msb-eag/templates/deployment.yaml
+++ b/kubernetes/msb/charts/msb-eag/templates/deployment.yaml
@@ -18,6 +18,7 @@ spec:
annotations:
sidecar.istio.io/inject: "{{.Values.istioSidecar}}"
spec:
+ serviceAccountName: msb
initContainers:
- command:
- /root/ready.py
diff --git a/kubernetes/msb/charts/msb-iag/templates/deployment.yaml b/kubernetes/msb/charts/msb-iag/templates/deployment.yaml
index 31bb2c96c8..9b7d556020 100644
--- a/kubernetes/msb/charts/msb-iag/templates/deployment.yaml
+++ b/kubernetes/msb/charts/msb-iag/templates/deployment.yaml
@@ -18,6 +18,7 @@ spec:
annotations:
sidecar.istio.io/inject: "{{.Values.istioSidecar}}"
spec:
+ serviceAccountName: msb
initContainers:
- command:
- /root/ready.py
diff --git a/kubernetes/msb/templates/serviceaccout.yaml b/kubernetes/msb/templates/serviceaccout.yaml
new file mode 100644
index 0000000000..560987bfc1
--- /dev/null
+++ b/kubernetes/msb/templates/serviceaccout.yaml
@@ -0,0 +1,37 @@
+# Copyright © 2017 Amdocs, Bell Canada, ZTE
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: msb
+ namespace: {{ include "common.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "common.namespace" . }}-msb-binding
+ namespace: {{ include "common.namespace" . }}
+ labels:
+ app: {{ include "common.name" . }}
+ chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+ release: {{ .Release.Name }}
+ heritage: {{ .Release.Service }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: cluster-admin
+subjects:
+ - kind: ServiceAccount
+ name: msb
+ namespace: {{ include "common.namespace" . }}