CODEWITHSUNDEEP
kuberneteskustomize
Fabrice Jammes
Fabrice Jammes

Reputation: 3215

Patch namespace and change resource kind for a role binding

Using kustomize, I'd like to set namespace field for all my objects.

Here is my kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
patchesJson6902:
- patch: |-
    - op: replace
      path: /kind
      value: RoleBinding
  target:
    group: rbac.authorization.k8s.io
    kind: ClusterRoleBinding
    name: manager-rolebinding
    version: v1
resources:
- role_binding.yaml 
namespace: <NAMESPACE>

Here is my resource file: role_binding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: controller-manager
  namespace: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: system
spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  replicas: 1
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      containers:
      - command:
        - /manager
        args:
        - --enable-leader-election
        image: controller:latest
        name: manager

And kustomize output:

$ kustomize build      
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: controller-manager
  namespace: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: <NAMESPACE>
spec:
  replicas: 1
  selector:
    matchLabels:
      control-plane: controller-manager
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      containers:
      - args:
        - --enable-leader-election
        command:
        - /manager
        image: controller:latest
        name: manager

How can I patch the namespace field in the RoleBinding and set it to <NAMESPACE>? In above example, it works perfectly for the Deployment resource but not for the RoleBinding.

Upvotes: 3

Views: 10458

Answers (2)

Fabrice Jammes
Fabrice Jammes

Reputation: 3215

Here is a solution which solves the issue, using kustomize-v4.0.5:

cat <<EOF > kustomization.yaml 
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
patchesJson6902:
- patch: |-
    - op: replace
      path: /kind
      value: RoleBinding
    - op: add
      path: /metadata/namespace
      value: 
        <NAMESPACE>
  target:
    group: rbac.authorization.k8s.io
    kind: ClusterRoleBinding
    name: manager-rolebinding
    version: v1
resources:
- role_binding.yaml 
- service_account.yaml
namespace: <NAMESPACE>
EOF

cat <<EOF > role_binding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: controller-manager
  namespace: system 
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: system
spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  replicas: 1
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      containers:
      - command:
        - /manager
        args:
        - --enable-leader-election
        image: controller:latest
        name: manager
EOF

cat <<EOF > service_account.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: controller-manager
  namespace: system
EOF

Adding the ServiceAccount resource, and the Namespace field in the RoleBinding resource allows to correctly set the subject field in the RoleBinding.

Upvotes: 4

Wytrzymały Wiktor
Wytrzymały Wiktor

Reputation: 13928

Looking directly from the code:

// roleBindingHack is a hack for implementing the namespace transform
// for RoleBinding and ClusterRoleBinding resource types.
// RoleBinding and ClusterRoleBinding have namespace set on
// elements of the "subjects" field if and only if the subject elements
// "name" is "default".  Otherwise the namespace is not set.
//
// Example:
//
// kind: RoleBinding
// subjects:
// - name: "default" # this will have the namespace set
//   ...
// - name: "something-else" # this will not have the namespace set
//   ...

The ServiceAccount and the reference on the ClusterRoleBinding needs to have "default" as namespace or otherwise it won't be replaced.

Check the example below:

$ cat <<EOF > my-resources.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-clusterrole
subjects:
- kind: ServiceAccount
  name: my-service-account
  namespace: default
EOF

$ cat <<EOF > kustomization.yaml
namespace: foo-namespace

namePrefix: foo-prefix-

resources:
- my-resources.yaml
EOF

$ kustomize build
apiVersion: v1
kind: ServiceAccount
metadata:
  name: foo-prefix-my-service-account
  namespace: foo-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: foo-prefix-my-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-clusterrole
subjects:
- kind: ServiceAccount
  name: foo-prefix-my-service-account
  namespace: foo-namespace

Upvotes: 2

Related Questions