Move to a per-namespace deployment approach

* This increases security, the awx-operator SA has less cluster-wide access * This means one operator can only deploy to a single namespace * If AWX deployments are needed in multiple namespaces, multiple awx-operators can be deployed to accomplish this. Signed-off-by: Christian M. Adams <chadams@redhat.com>
2026-03-26 21:33:14 +00:00 · 2021-09-15 15:54:09 -04:00
parent fcbf8b5715
commit 58c3ebf4b0
10 changed files with 20 additions and 22 deletions
--- a/ansible/deploy-operator.yml
+++ b/ansible/deploy-operator.yml
@@ -5,7 +5,7 @@
 - name: Deploy Operator
  hosts: localhost
  vars:
-    k8s_namespace: "default"
+    k8s_namespace: "{{ namespace | default('default') }}"
    obliterate: no

  collections:
--- a/ansible/templates/operator.yml.j2
+++ b/ansible/templates/operator.yml.j2
@@ -22,9 +22,11 @@ spec:
            - mountPath: /tmp/ansible-operator/runner
              name: runner
          env:
-            # Watch all namespaces (cluster-scoped).
+            # Watch one namespace (namespace-scoped).
            - name: WATCH_NAMESPACE
-              value: ""
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
--- a/ansible/templates/role.yml.j2
+++ b/ansible/templates/role.yml.j2
@@ -1,6 +1,6 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
  creationTimestamp: null
  name: awx-operator
@@ -95,7 +95,6 @@ rules:
      - replicasets
    verbs:
      - get
-    verbs:
      - create
  - apiGroups:
      - awx.ansible.com
--- a/ansible/templates/role_binding.yml.j2
+++ b/ansible/templates/role_binding.yml.j2
@@ -1,13 +1,12 @@
 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: awx-operator
 subjects:
  - kind: ServiceAccount
    name: awx-operator
-    namespace: default
 roleRef:
-  kind: ClusterRole
+  kind: Role
  name: awx-operator
  apiGroup: rbac.authorization.k8s.io
--- a/ansible/templates/service_account.yml.j2
+++ b/ansible/templates/service_account.yml.j2
@@ -3,4 +3,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: awx-operator
-  namespace: default
--- a/deploy/awx-operator.yaml
+++ b/deploy/awx-operator.yaml
@@ -610,7 +610,7 @@ spec:

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
  creationTimestamp: null
  name: awx-operator
@@ -705,7 +705,6 @@ rules:
      - replicasets
    verbs:
      - get
-    verbs:
      - create
  - apiGroups:
      - awx.ansible.com
@@ -717,16 +716,15 @@ rules:
      - '*'

 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: awx-operator
 subjects:
  - kind: ServiceAccount
    name: awx-operator
-    namespace: default
 roleRef:
-  kind: ClusterRole
+  kind: Role
  name: awx-operator
  apiGroup: rbac.authorization.k8s.io

@@ -735,7 +733,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: awx-operator
-  namespace: default

 ---
 apiVersion: apps/v1
@@ -761,9 +758,11 @@ spec:
            - mountPath: /tmp/ansible-operator/runner
              name: runner
          env:
-            # Watch all namespaces (cluster-scoped).
+            # Watch one namespace (namespace-scoped).
            - name: WATCH_NAMESPACE
-              value: ""
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
--- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
+++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
@@ -755,11 +755,11 @@ spec:
  installModes:
  - supported: true
    type: OwnNamespace
-  - supported: true
+  - supported: false
    type: SingleNamespace
  - supported: false
    type: MultiNamespace
-  - supported: true
+  - supported: false
    type: AllNamespaces
  keywords:
  - awx
--- a/molecule/default/molecule.yml
+++ b/molecule/default/molecule.yml
@@ -26,4 +26,4 @@ provisioner:
  inventory:
    group_vars:
      all:
-        operator_namespace: ${TEST_NAMESPACE:-default}
+        operator_namespace: ${TEST_NAMESPACE:-example-awx}
--- a/molecule/test-minikube/molecule.yml
+++ b/molecule/test-minikube/molecule.yml
@@ -19,7 +19,7 @@ provisioner:
  inventory:
    group_vars:
      all:
-        operator_namespace: ${TEST_NAMESPACE:-default}
+        operator_namespace: ${TEST_NAMESPACE:-example-awx}
  env:
    ANSIBLE_ROLES_PATH: ${MOLECULE_PROJECT_DIRECTORY}/roles
 scenario:
--- a/scripts/okd-console.yaml
+++ b/scripts/okd-console.yaml
@@ -1,6 +1,6 @@
 ### Don't run this deployment in production
 ### The current configuration will run the
-### OKD console without any autentication!!!!
+### OKD console without any authentication!!!!
 ###
 ### A prerequisite is to install the OLM
 ### as instructed at https://olm.operatorframework.io/docs/getting-started/#install-released-olm