From d4e7ae96a91771ee2ec1230c71947d10aa772254 Mon Sep 17 00:00:00 2001 From: kezhenxu94 Date: Fri, 28 Oct 2022 10:27:44 +0800 Subject: [PATCH] Add configmap resource permissions so config hot reload can work (#12572) --- .../deployment-dolphinscheduler-alert.yaml | 1 + .../deployment-dolphinscheduler-api.yaml | 1 + .../dolphinscheduler/templates/rbac.yaml | 53 +++++++++++++++++++ .../statefulset-dolphinscheduler-master.yaml | 1 + .../statefulset-dolphinscheduler-worker.yaml | 1 + 5 files changed, 57 insertions(+) create mode 100644 deploy/kubernetes/dolphinscheduler/templates/rbac.yaml diff --git a/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-alert.yaml b/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-alert.yaml index e2ee9f64d1..7772943d82 100644 --- a/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-alert.yaml +++ b/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-alert.yaml @@ -39,6 +39,7 @@ spec: {{- toYaml .Values.alert.annotations | nindent 8 }} {{- end }} spec: + serviceAccountName: {{ template "dolphinscheduler.fullname" . }} {{- if .Values.alert.affinity }} affinity: {{- toYaml .Values.alert.affinity | nindent 8 }} diff --git a/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-api.yaml b/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-api.yaml index 766620fcb3..159d893ac3 100644 --- a/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-api.yaml +++ b/deploy/kubernetes/dolphinscheduler/templates/deployment-dolphinscheduler-api.yaml @@ -39,6 +39,7 @@ spec: {{- toYaml .Values.api.annotations | nindent 8 }} {{- end }} spec: + serviceAccountName: {{ template "dolphinscheduler.fullname" . }} {{- if .Values.api.affinity }} affinity: {{- toYaml .Values.api.affinity | nindent 8 }} diff --git a/deploy/kubernetes/dolphinscheduler/templates/rbac.yaml b/deploy/kubernetes/dolphinscheduler/templates/rbac.yaml new file mode 100644 index 0000000000..a343cc1d6b --- /dev/null +++ b/deploy/kubernetes/dolphinscheduler/templates/rbac.yaml @@ -0,0 +1,53 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: {{ template "dolphinscheduler.fullname" . }} + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + release: {{ .Release.Name }} + name: {{ template "dolphinscheduler.fullname" . }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "dolphinscheduler.fullname" . }} + labels: + app: {{ template "dolphinscheduler.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "dolphinscheduler.fullname" . }} + labels: + app: {{ template "dolphinscheduler.fullname" . }} + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "dolphinscheduler.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "dolphinscheduler.fullname" . }} + namespace: {{ .Release.Namespace }} diff --git a/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-master.yaml b/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-master.yaml index 6610f3598d..3c1c507cd2 100644 --- a/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-master.yaml +++ b/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-master.yaml @@ -36,6 +36,7 @@ spec: {{- toYaml .Values.master.annotations | nindent 8 }} {{- end }} spec: + serviceAccountName: {{ template "dolphinscheduler.fullname" . }} {{- if .Values.master.affinity }} affinity: {{- toYaml .Values.master.affinity | nindent 8 }} diff --git a/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-worker.yaml b/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-worker.yaml index 6c0e6034b3..eb06883a45 100644 --- a/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-worker.yaml +++ b/deploy/kubernetes/dolphinscheduler/templates/statefulset-dolphinscheduler-worker.yaml @@ -36,6 +36,7 @@ spec: {{- toYaml .Values.worker.annotations | nindent 8 }} {{- end }} spec: + serviceAccountName: {{ template "dolphinscheduler.fullname" . }} {{- if .Values.worker.affinity }} affinity: {{- toYaml .Values.worker.affinity | nindent 8 }}