From c4a7e765177c4cd6af373495186aae7dc59dcfeb Mon Sep 17 00:00:00 2001
From: Matthew Wong <mawong@redhat.com>
Date: Wed, 22 Aug 2018 17:07:13 -0400
Subject: [PATCH] Distribute Role+Rolebinding everywhere instead of giving
 cluster-scoped endpoints r/w

(cherry picked from commit 7df14ef767a695d67fdc5f942203bf206a300af2)
---
 README.md                              | 20 +++++-----
 deploy/auth/clusterrole.yaml           | 20 ----------
 deploy/auth/clusterrolebinding.yaml    | 12 ------
 deploy/auth/openshift-clusterrole.yaml | 20 ----------
 deploy/auth/serviceaccount.yaml        |  4 --
 deploy/deployment-arm.yaml             |  5 +++
 deploy/deployment.yaml                 |  5 +++
 deploy/rbac.yaml                       | 54 ++++++++++++++++++++++++++
 8 files changed, 74 insertions(+), 66 deletions(-)
 delete mode 100644 deploy/auth/clusterrole.yaml
 delete mode 100644 deploy/auth/clusterrolebinding.yaml
 delete mode 100644 deploy/auth/openshift-clusterrole.yaml
 delete mode 100644 deploy/auth/serviceaccount.yaml
 create mode 100644 deploy/rbac.yaml

diff --git a/README.md b/README.md
index 03e55c23..4967ba49 100644
--- a/README.md
+++ b/README.md
@@ -14,15 +14,15 @@ To note again, you must *already* have an NFS Server.
 
 Get all of the files in the [deploy](https://github.com/kubernetes-incubator/external-storage/tree/master/nfs-client/deploy) directory of this repository. These instructions assume that you have cloned the [external-storage](https://github.com/kubernetes-incubator/external-storage) repository and have a bash-shell open in the ``nfs-client`` directory.
 
-**Step 3: Setup authorization**. If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" either edit `deploy/auth/clusterrolebinding.yaml` or edit the `oadm policy` command accordingly.
+**Step 3: Setup authorization**. If your cluster has RBAC enabled or you are running OpenShift you must authorize the provisioner. If you are in a namespace/project other than "default" edit `deploy/rbac.yaml`.
 
 Kubernetes:
 
 ```sh
-$ kubectl create -f deploy/auth/serviceaccount.yaml -f deploy/auth/clusterrole.yaml -f deploy/auth/clusterrolebinding.yaml
-serviceaccount "nfs-client-provisioner" created
-clusterrole "nfs-client-provisioner-runner" created
-clusterrolebinding "run-nfs-client-provisioner" created
+# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed
+$ NAMESPACE=`oc project -q`
+$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml
+$ kubectl create -f deploy/rbac.yaml
 ```
 
 OpenShift:
@@ -30,11 +30,11 @@ OpenShift:
 On some installations of OpenShift the default admin user does not have cluster-admin permissions. If these commands fail refer to the OpenShift documentation for **User and Role Management** or contact your OpenShift provider to help you grant the right permissions to your admin user. 
 
 ```sh
-$ oc create -f deploy/auth/openshift-clusterrole.yaml -f deploy/auth/serviceaccount.yaml
-serviceaccount "nfs-client-provisioner" created
-clusterrole "nfs-client-provisioner-runner" created
-$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:default:nfs-client-provisioner
-$ oadm policy add-cluster-role-to-user nfs-client-provisioner-runner system:serviceaccount:default:nfs-client-provisioner
+# Set the subject of the RBAC objects to the current namespace where the provisioner is being deployed
+$ NAMESPACE=`oc project -q`
+$ sed -i'' "s/namespace:.*/namespace: $NAMESPACE/g" ./deploy/rbac.yaml
+$ oc create -f deploy/rbac.yaml
+$ oadm policy add-scc-to-user hostmount-anyuid system:serviceaccount:$NAMESPACE:nfs-client-provisioner
 ```
 
 **Step 4: Configure the NFS-Client provisioner**
diff --git a/deploy/auth/clusterrole.yaml b/deploy/auth/clusterrole.yaml
deleted file mode 100644
index 0ecb088b..00000000
--- a/deploy/auth/clusterrole.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: nfs-client-provisioner-runner
-rules:
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "delete"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["storageclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
\ No newline at end of file
diff --git a/deploy/auth/clusterrolebinding.yaml b/deploy/auth/clusterrolebinding.yaml
deleted file mode 100644
index 0e949a27..00000000
--- a/deploy/auth/clusterrolebinding.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: run-nfs-client-provisioner
-subjects:
-  - kind: ServiceAccount
-    name: nfs-client-provisioner
-    namespace: default
-roleRef:
-  kind: ClusterRole
-  name: nfs-client-provisioner-runner
-  apiGroup: rbac.authorization.k8s.io
diff --git a/deploy/auth/openshift-clusterrole.yaml b/deploy/auth/openshift-clusterrole.yaml
deleted file mode 100644
index 2f50f5b2..00000000
--- a/deploy/auth/openshift-clusterrole.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-kind: ClusterRole
-apiVersion: v1
-metadata:
-  name: nfs-client-provisioner-runner
-rules:
-  - apiGroups: [""]
-    resources: ["persistentvolumes"]
-    verbs: ["get", "list", "watch", "create", "delete"]
-  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
-    verbs: ["get", "list", "watch", "update"]
-  - apiGroups: ["storage.k8s.io"]
-    resources: ["storageclasses"]
-    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["events"]
-    verbs: ["create", "update", "patch"]
-  - apiGroups: [""]
-    resources: ["endpoints"]
-    verbs: ["get", "list", "watch", "create", "update", "patch"]
diff --git a/deploy/auth/serviceaccount.yaml b/deploy/auth/serviceaccount.yaml
deleted file mode 100644
index edead9ad..00000000
--- a/deploy/auth/serviceaccount.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: nfs-client-provisioner
diff --git a/deploy/deployment-arm.yaml b/deploy/deployment-arm.yaml
index 9f09acca..785302bd 100644
--- a/deploy/deployment-arm.yaml
+++ b/deploy/deployment-arm.yaml
@@ -1,3 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nfs-client-provisioner
+---
 kind: Deployment
 apiVersion: extensions/v1beta1
 metadata:
diff --git a/deploy/deployment.yaml b/deploy/deployment.yaml
index 1b793676..271ca060 100644
--- a/deploy/deployment.yaml
+++ b/deploy/deployment.yaml
@@ -1,3 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nfs-client-provisioner
+---
 kind: Deployment
 apiVersion: extensions/v1beta1
 metadata:
diff --git a/deploy/rbac.yaml b/deploy/rbac.yaml
new file mode 100644
index 00000000..79bc7290
--- /dev/null
+++ b/deploy/rbac.yaml
@@ -0,0 +1,54 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: nfs-client-provisioner-runner
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["storage.k8s.io"]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "update", "patch"]
+  - apiGroups: [""]
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: run-nfs-client-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: nfs-client-provisioner
+    namespace: default
+roleRef:
+  kind: ClusterRole
+  name: nfs-client-provisioner-runner
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-nfs-client-provisioner
+rules:
+  - apiGroups: [""]
+    resources: ["endpoints"]
+    verbs: ["get", "list", "watch", "create", "update", "patch"]
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: leader-locking-nfs-client-provisioner
+subjects:
+  - kind: ServiceAccount
+    name: nfs-client-provisioner
+    # replace with namespace where provisioner is deployed
+    namespace: default
+roleRef:
+  kind: Role
+  name: leader-locking-nfs-client-provisioner
+  apiGroup: rbac.authorization.k8s.io