Move to a per-namespace deployment approach

* This increases security, the awx-operator SA has less cluster-wide access * This means one operator can only deploy to a single namespace * If AWX deployments are needed in multiple namespaces, multiple awx-operators can be deployed to accomplish this. Signed-off-by: Christian M. Adams <chadams@redhat.com>
2026-05-07 22:02:53 +00:00 · 2021-09-15 15:54:09 -04:00
parent fcbf8b5715
commit 58c3ebf4b0
10 changed files with 20 additions and 22 deletions
--- a/ansible/deploy-operator.yml
+++ b/ansible/deploy-operator.yml
@@ -5,7 +5,7 @@
 - name: Deploy Operator
  hosts: localhost
  vars:
-    k8s_namespace: "default"
+    k8s_namespace: "{{ namespace | default('default') }}"
    obliterate: no

  collections:
--- a/ansible/templates/operator.yml.j2
+++ b/ansible/templates/operator.yml.j2
@@ -22,9 +22,11 @@ spec:
            - mountPath: /tmp/ansible-operator/runner
              name: runner
          env:
-            # Watch all namespaces (cluster-scoped).
+            # Watch one namespace (namespace-scoped).
            - name: WATCH_NAMESPACE
-              value: ""
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
--- a/ansible/templates/role.yml.j2
+++ b/ansible/templates/role.yml.j2
@@ -1,6 +1,6 @@
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
  creationTimestamp: null
  name: awx-operator
@@ -95,7 +95,6 @@ rules:
      - replicasets
    verbs:
      - get
-    verbs:
      - create
  - apiGroups:
      - awx.ansible.com
--- a/ansible/templates/role_binding.yml.j2
+++ b/ansible/templates/role_binding.yml.j2
@@ -1,13 +1,12 @@
 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: awx-operator
 subjects:
  - kind: ServiceAccount
    name: awx-operator
-    namespace: default
 roleRef:
-  kind: ClusterRole
+  kind: Role
  name: awx-operator
  apiGroup: rbac.authorization.k8s.io
--- a/ansible/templates/service_account.yml.j2
+++ b/ansible/templates/service_account.yml.j2
@@ -3,4 +3,3 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: awx-operator
-  namespace: default