Move to a per-namespace deployment approach

* This increases security, the awx-operator SA has less cluster-wide access * This means one operator can only deploy to a single namespace * If AWX deployments are needed in multiple namespaces, multiple awx-operators can be deployed to accomplish this. Signed-off-by: Christian M. Adams <chadams@redhat.com>
2026-05-06 05:12:47 +00:00 · 2021-09-15 15:54:09 -04:00
parent fcbf8b5715
commit 58c3ebf4b0
10 changed files with 20 additions and 22 deletions
--- a/deploy/awx-operator.yaml
+++ b/deploy/awx-operator.yaml
@@ -610,7 +610,7 @@ spec:

 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
  creationTimestamp: null
  name: awx-operator
@@ -705,7 +705,6 @@ rules:
      - replicasets
    verbs:
      - get
-    verbs:
      - create
  - apiGroups:
      - awx.ansible.com
@@ -717,16 +716,15 @@ rules:
      - '*'

 ---
-kind: ClusterRoleBinding
+kind: RoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: awx-operator
 subjects:
  - kind: ServiceAccount
    name: awx-operator
-    namespace: default
 roleRef:
-  kind: ClusterRole
+  kind: Role
  name: awx-operator
  apiGroup: rbac.authorization.k8s.io

@@ -735,7 +733,6 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: awx-operator
-  namespace: default

 ---
 apiVersion: apps/v1
@@ -761,9 +758,11 @@ spec:
            - mountPath: /tmp/ansible-operator/runner
              name: runner
          env:
-            # Watch all namespaces (cluster-scoped).
+            # Watch one namespace (namespace-scoped).
            - name: WATCH_NAMESPACE
-              value: ""
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
            - name: POD_NAME
              valueFrom:
                fieldRef:
--- a/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
+++ b/deploy/olm-catalog/awx-operator/manifests/awx-operator.clusterserviceversion.yaml
@@ -755,11 +755,11 @@ spec:
  installModes:
  - supported: true
    type: OwnNamespace
-  - supported: true
+  - supported: false
    type: SingleNamespace
  - supported: false
    type: MultiNamespace
-  - supported: true
+  - supported: false
    type: AllNamespaces
  keywords:
  - awx