fix(k8s): incorrect role binding for tiller service account

For now each installed Tiller needs to have cluster admin permissions, because Helm charts tend to require that sort of permission. Going forward, it would be best to get rid of Tiller entirely.
garden-io · Feb 4, 2019 · 9a61840 · 9a61840
1 parent 190690b
commit 9a61840
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/garden-service/src/plugins/kubernetes/helm/tiller.ts b/garden-service/src/plugins/kubernetes/helm/tiller.ts
@@ -108,13 +108,35 @@ function getRoleResources(namespace: string): KubernetesResource[] {
       },
       roleRef: {
         kind: "Role",
-        name: "tiller",
+        name: serviceAccountName,
+        apiGroup: "rbac.authorization.k8s.io",
+      },
+      subjects: [
+        {
+          kind: "ServiceAccount",
+          name: serviceAccountName,
+          namespace,
+        },
+      ],
+    },
+    // TODO: either get rid of Tiller entirely, or find a more narrow (yet usable) way to limit permissions
+    // cluster-wide. The reason for this is that often Helm charts contain cluster-scoped objects that are in practice
+    // difficult to limit the creation of, especically for dev.
+    {
+      apiVersion: "rbac.authorization.k8s.io/v1",
+      kind: "ClusterRoleBinding",
+      metadata: {
+        name: serviceAccountName + "-cluster-admin",
+      },
+      roleRef: {
+        kind: "ClusterRole",
+        name: "cluster-admin",
         apiGroup: "rbac.authorization.k8s.io",
       },
       subjects: [
         {
           kind: "ServiceAccount",
-          name: "tiller",
+          name: serviceAccountName,
           namespace,
         },
       ],