added own serviceaccount for all components

neuvector · Dec 7, 2020 · a0c4f1d · a0c4f1d
1 parent 3657cdd
commit a0c4f1d
Show file tree

Hide file tree

Showing 23 changed files with 54 additions and 24 deletions.
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ $ helm install --name my-release --namespace neuvector neuvector/core  --set ima
 $ oc new-project neuvector
 ```
 
-- Grant Service Account Access to the Privileged SCC.
+- Grant Service Account Access to the Privileged SCC. Please replace the service account name that you plan to use. You can specify the service account to manage NeuVector deployment in values.yaml.
 ```console
 $ oc -n neuvector adm policy add-scc-to-user privileged -z default
 ```

diff --git a/charts/core/Chart.yaml b/charts/core/Chart.yaml
@@ -1,6 +1,6 @@
 name: core
 apiVersion: v1
-version: 1.6.4
+version: 1.6.5
 appVersion: 4.0.0
 description: Helm chart for NeuVector's core services
 home: https://neuvector.com

diff --git a/charts/core/README.md b/charts/core/README.md
@@ -60,6 +60,7 @@ Parameter | Description | Default | Notes
 `tag` | image tag for controller enforcer manager | `latest` |
 `imagePullSecrets` | image pull secret | `nil` |
 `psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` |
+`serviceAccount` | Service account name for NeuVector components | `default` |
 `controller.enabled` | If true, create controller | `true` |
 `controller.image.repository` | controller image repository | `neuvector/controller` |
 `controller.replicas` | controller replicas | `3` |

diff --git a/charts/core/templates/clusterrolebinding.yaml b/charts/core/templates/clusterrolebinding.yaml
@@ -23,11 +23,11 @@ roleRef:
   name: neuvector-binding-app
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 
 ---
@@ -54,11 +54,11 @@ roleRef:
   name: neuvector-binding-rbac
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 
 ---
@@ -85,11 +85,11 @@ roleRef:
   name: neuvector-binding-admission
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 
 ---
@@ -116,11 +116,11 @@ roleRef:
   name: view
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 
 ---
@@ -140,6 +140,6 @@ roleRef:
   name: neuvector-binding-co
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- end }}
diff --git a/charts/core/templates/controller-deployment.yaml b/charts/core/templates/controller-deployment.yaml
@@ -45,6 +45,8 @@ spec:
     {{- if .Values.controller.priorityClassName }}
       priorityClassName: {{ .Values.controller.priorityClassName }}
     {{- end }}
+      serviceAccountName: {{ .Values.serviceAccount }}
+      serviceAccount: {{ .Values.serviceAccount }}
       containers:
         - name: neuvector-controller-pod
           image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}"

diff --git a/charts/core/templates/crd.yaml b/charts/core/templates/crd.yaml
@@ -120,11 +120,11 @@ roleRef:
   name: neuvector-binding-customresourcedefinition
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 ---
 # ClusterRole for NeuVector to manager user-created CRD rules
@@ -175,10 +175,10 @@ roleRef:
   name: neuvector-binding-nvsecurityrules
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 {{- end }}
diff --git a/charts/core/templates/enforcer-daemonset.yaml b/charts/core/templates/enforcer-daemonset.yaml
@@ -36,6 +36,8 @@ spec:
     {{- if .Values.enforcer.priorityClassName }}
       priorityClassName: {{ .Values.enforcer.priorityClassName }}
     {{- end }}
+      serviceAccountName: {{ .Values.serviceAccount }}
+      serviceAccount: {{ .Values.serviceAccount }}
       containers:
         - name: neuvector-enforcer-pod
           image: "{{ .Values.registry }}/{{ .Values.enforcer.image.repository }}:{{ .Values.tag }}"

diff --git a/charts/core/templates/manager-deployment.yaml b/charts/core/templates/manager-deployment.yaml
@@ -30,6 +30,8 @@ spec:
     {{- if .Values.manager.priorityClassName }}
       priorityClassName: {{ .Values.manager.priorityClassName }}
     {{- end }}
+      serviceAccountName: {{ .Values.serviceAccount }}
+      serviceAccount: {{ .Values.serviceAccount }}
       containers:
         - name: neuvector-manager-pod
           image: "{{ .Values.registry }}/{{ .Values.manager.image.repository }}:{{ .Values.tag }}"

diff --git a/charts/core/templates/psp.yaml b/charts/core/templates/psp.yaml
@@ -72,6 +72,6 @@ roleRef:
   name: neuvector-binding-psp
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- end }}
diff --git a/charts/core/templates/rolebinding.yaml b/charts/core/templates/rolebinding.yaml
@@ -23,9 +23,9 @@ roleRef:
   name: admin
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
diff --git a/charts/core/templates/scanner-deployment.yaml b/charts/core/templates/scanner-deployment.yaml
@@ -31,6 +31,8 @@ spec:
     {{- if .Values.cve.scanner.priorityClassName }}
       priorityClassName: {{ .Values.cve.scanner.priorityClassName }}
     {{- end }}
+      serviceAccountName: {{ .Values.serviceAccount }}
+      serviceAccount: {{ .Values.serviceAccount }}
       containers:
         - name: neuvector-scanner-pod
           image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:latest"

diff --git a/charts/core/templates/serviceaccount.yaml b/charts/core/templates/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/core/templates/updater-cronjob.yaml b/charts/core/templates/updater-cronjob.yaml
@@ -29,6 +29,8 @@ spec:
         {{- if .Values.cve.updater.priorityClassName }}
           priorityClassName: {{ .Values.cve.updater.priorityClassName }}
         {{- end }}
+          serviceAccountName: {{ .Values.serviceAccount }}
+          serviceAccount: {{ .Values.serviceAccount }}
           containers:
             - name: neuvector-updater-pod
               image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}"

diff --git a/charts/core/values.yaml b/charts/core/values.yaml
@@ -8,6 +8,7 @@ registry: docker.io
 tag: latest
 imagePullSecrets:
 psp: false
+serviceAccount: default
 
 controller:
   # If false, controller will not be installed

diff --git a/charts/crd/Chart.yaml b/charts/crd/Chart.yaml
@@ -1,6 +1,6 @@
 name: crd
 apiVersion: v1
-version: 1.6.2
+version: 1.6.3
 appVersion: 4.0.0
 description: Helm chart for NeuVector's CRD services
 home: https://neuvector.com

diff --git a/charts/crd/README.md b/charts/crd/README.md
@@ -11,6 +11,7 @@ The following table lists the configurable parameters of the NeuVector chart and
 Parameter | Description | Default | Notes
 --------- | ----------- | ------- | -----
 `openshift` | If deploying in OpenShift, set this to true | `false` |
+`serviceAccount` | Service account name for NeuVector components | `default` |
 `crdwebhook.type` | crd webhook type | `ClusterIP` |
 
 ---

diff --git a/charts/crd/templates/crd.yaml b/charts/crd/templates/crd.yaml
@@ -119,11 +119,11 @@ roleRef:
   name: neuvector-binding-customresourcedefinition
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
 ---
 # ClusterRole for NeuVector to manager user-created CRD rules
@@ -174,9 +174,9 @@ roleRef:
   name: neuvector-binding-nvsecurityrules
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: {{ .Values.serviceAccount }}
   namespace: {{ .Release.Namespace }}
 {{- if $oc3 }}
 userNames:
-- system:serviceaccount:{{ .Release.Namespace }}:default
+- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
 {{- end }}
diff --git a/charts/crd/templates/serviceaccount.yaml b/charts/crd/templates/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.serviceAccount }}
+  namespace: {{ .Release.Namespace }}
diff --git a/charts/crd/values.yaml b/charts/crd/values.yaml
@@ -4,5 +4,7 @@
 
 openshift: false
 
+serviceAccount: default
+
 crdwebhook:
   type: ClusterIP
diff --git a/charts/monitor/Chart.yaml b/charts/monitor/Chart.yaml
@@ -1,6 +1,6 @@
 name: monitor
 apiVersion: v1
-version: 0.9.1
+version: 0.9.2
 appVersion: 4.0.0
 description: Helm chart for NeuVector monitor services
 home: https://neuvector.com

diff --git a/charts/monitor/README.md b/charts/monitor/README.md
@@ -8,6 +8,7 @@ The following table lists the configurable parameters of the NeuVector chart and
 
 Parameter | Description | Default | Notes
 --------- | ----------- | ------- | -----
+`serviceAccount` | Service account name for NeuVector components | `default` |
 `exporter.enabled` | If true, create Prometheus exporter | `false` |
 `exporter.image.repository` | exporter image name | `neuvector/prometheus-exporter` |
 `exporter.image.tag` | exporter image tag | `latest` |

diff --git a/charts/monitor/templates/exporter-deployment.yaml b/charts/monitor/templates/exporter-deployment.yaml
@@ -27,6 +27,8 @@ spec:
       imagePullSecrets:
         - name: {{ .Values.imagePullSecrets }}
     {{- end }}
+      serviceAccountName: {{ .Values.serviceAccount }}
+      serviceAccount: {{ .Values.serviceAccount }}
       containers:
         - name: neuvector-prometheus-exporter-pod
           image: "{{ .Values.registry }}/{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}"

diff --git a/charts/monitor/values.yaml b/charts/monitor/values.yaml
@@ -2,6 +2,8 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into the templates.
 
+serviceAccount: default
+
 exporter:
   # If false, exporter will not be installed
   enabled: false