Remove --rbac flag

chart/stash/README.md

@@ -59,7 +59,6 @@ The following table lists the configurable parameters of the Stash chart and the
 | `annotations`                        | Annotations applied to operator pod(s)                                                                                                                                     | `{}`                                                      |
 | `nodeSelector`                       | Node labels for pod assignment                                                                                                                                             | `{}`                                                      |
 | `tolerations`                        | Tolerations used pod assignment                                                                                                                                            | `{}`                                                      |
-| `rbac.create`                        | If `true`, create and use RBAC resources                                                                                                                                   | `true`                                                    |
 | `serviceAccount.create`              | If `true`, create a new service account                                                                                                                                    | `true`                                                    |
 | `serviceAccount.name`                | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template                                              | ``                                                        |
 | `apiserver.groupPriorityMinimum`     | The minimum priority the group should have.                                                                                                                                | 10000                                                     |
@@ -91,23 +90,4 @@ installing the chart. For example:
 $ helm install --name stash-operator --values values.yaml appscode/stash
 ```
 
-## RBAC
-By default the chart will not install the recommended RBAC roles and rolebindings.
 
-You need to have the flag `--authorization-mode=RBAC` on the api server. See the following document for how to enable [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/).
-
-To determine if your cluster supports RBAC, run the following command:
-
-```console
-$ kubectl api-versions | grep rbac
-```
-
-If the output contains "beta", you may install the chart with RBAC enabled (see below).
-
-### Enable RBAC role/rolebinding creation
-
-To enable the creation of RBAC resources (On clusters with RBAC). Do the following:
-
-```console
-$ helm install --name stash-operator appscode/stash --set rbac.create=true
-```

chart/stash/templates/apiregistration.yaml

@@ -66,7 +66,6 @@ data:
   tls.key: {{ b64enc $cert.Key }}
 ---
 {{- end }}
-{{ if .Values.rbac.create }}
 # to read the config for terminating authentication
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -99,4 +98,3 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "stash.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{ end }}

chart/stash/templates/cluster-role-binding.yaml

@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -13,4 +12,3 @@ subjects:
 - kind: ServiceAccount
   name: {{ template "stash.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
-{{ end }}

chart/stash/templates/cluster-role.yaml

@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -86,4 +85,3 @@ rules:
   - roles
   - rolebindings
   verbs: ["get", "create", "delete", "patch"]
-{{ end }}

chart/stash/templates/deployment.yaml

@@ -44,7 +44,6 @@ spec:
         args:
         - run
         - --v={{ .Values.logLevel }}
-        - --rbac={{ .Values.rbac.create }}
         - --docker-registry={{ .Values.operator.registry }}
         - --secure-port=8443
         - --audit-log-path=-

chart/stash/templates/user-roles.yaml

@@ -1,4 +1,3 @@
-{{ if .Values.rbac.create }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -45,4 +44,3 @@ rules:
   resources:
   - snapshots
   verbs: ["get", "list"]
-{{ end }}

chart/stash/values.yaml

@@ -53,11 +53,6 @@ tolerations: {}
 ##
 affinity: {}
 
-## Install Default RBAC roles and bindings
-rbac:
-  # Specifies whether RBAC resources should be created
-  create: true
-
 serviceAccount:
   # Specifies whether a ServiceAccount should be created
   create: true

hack/deploy/operator.yaml

@@ -26,7 +26,6 @@ spec:
         args:
         - run
         - --v=3
-        - --rbac=${STASH_ENABLE_RBAC}
         - --docker-registry=${STASH_DOCKER_REGISTRY}
         - --secure-port=8443
         - --audit-log-path=-

hack/deploy/stash.sh

@@ -108,7 +108,6 @@ onessl_found || {
 export STASH_NAMESPACE=kube-system
 export STASH_SERVICE_ACCOUNT=stash-operator
 export STASH_SERVICE_NAME=stash-operator
-export STASH_ENABLE_RBAC=true
 export STASH_RUN_ON_MASTER=0
 export STASH_ENABLE_VALIDATING_WEBHOOK=false
 export STASH_ENABLE_MUTATING_WEBHOOK=false
@@ -160,7 +159,6 @@ show_help() {
   echo "options:"
   echo "-h, --help                             show brief help"
   echo "-n, --namespace=NAMESPACE              specify namespace (default: kube-system)"
-  echo "    --rbac                             create RBAC roles and bindings (default: true)"
   echo "    --docker-registry                  docker registry used to pull stash images (default: appscode)"
   echo "    --image-pull-secret                name of secret used to pull stash operator images"
   echo "    --run-on-master                    run stash operator on master"
@@ -254,14 +252,6 @@ while test $# -gt 0; do
       fi
       shift
       ;;
-    --rbac*)
-      val=$(echo $1 | sed -e 's/^[^=]*=//g')
-      if [ "$val" = "false" ]; then
-        export STASH_SERVICE_ACCOUNT=default
-        export STASH_ENABLE_RBAC=false
-      fi
-      shift
-      ;;
     --run-on-master)
       export STASH_RUN_ON_MASTER=1
       shift
@@ -429,11 +419,9 @@ export TLS_SERVING_KEY=$(cat server.key | $ONESSL base64)
 
 ${SCRIPT_LOCATION}hack/deploy/operator.yaml | $ONESSL envsubst | kubectl apply -f -
 
-if [ "$STASH_ENABLE_RBAC" = true ]; then
-  ${SCRIPT_LOCATION}hack/deploy/service-account.yaml | $ONESSL envsubst | kubectl apply -f -
-  ${SCRIPT_LOCATION}hack/deploy/rbac-list.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
-  ${SCRIPT_LOCATION}hack/deploy/user-roles.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
-fi
+${SCRIPT_LOCATION}hack/deploy/service-account.yaml | $ONESSL envsubst | kubectl apply -f -
+${SCRIPT_LOCATION}hack/deploy/rbac-list.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
+${SCRIPT_LOCATION}hack/deploy/user-roles.yaml | $ONESSL envsubst | kubectl auth reconcile -f -
 
 if [ "$STASH_RUN_ON_MASTER" -eq 1 ]; then
   kubectl patch deploy stash-operator -n $STASH_NAMESPACE \

hack/dev/run.sh

@@ -125,7 +125,6 @@ if [ "$STASH_E2E_TEST" = false ]; then # don't run operator while run this scrip
     --authentication-skip-lookup \
     --docker-registry="$STASH_DOCKER_REGISTRY" \
     --image-tag="$STASH_IMAGE_TAG" \
-    --rbac=true \
     --enable-status-subresource=true \
     --v=5
 fi

pkg/backup/backup.go

@@ -53,7 +53,6 @@ type Options struct {
 	RunViaCron       bool
 	DockerRegistry   string // image registry for check job
 	ImageTag         string // image tag for check job
-	EnableRBAC       bool   // rbac for check job
 	NumThreads       int
 }
 
@@ -155,9 +154,8 @@ func (c *Controller) Backup() error {
 		return err
 	}
 	if errors.IsNotFound(err) {
-		if c.opt.EnableRBAC {
-			job.Spec.Template.Spec.ServiceAccountName = job.Name
-		}
+		job.Spec.Template.Spec.ServiceAccountName = job.Name
+
 		if job, err = c.k8sClient.BatchV1().Jobs(restic.Namespace).Create(job); err != nil {
 			err = fmt.Errorf("failed to get check job, reason: %s", err)
 			ref, rerr := reference.GetReference(scheme.Scheme, repository)
@@ -177,14 +175,12 @@ func (c *Controller) Backup() error {
 		}
 
 		// create service-account and role-binding
-		if c.opt.EnableRBAC {
-			ref, err := reference.GetReference(scheme.Scheme, job)
-			if err != nil {
-				return err
-			}
-			if err = c.ensureCheckRBAC(ref); err != nil {
-				return fmt.Errorf("error ensuring rbac for check job %s, reason: %s", job.Name, err)
-			}
+		ref, err := reference.GetReference(scheme.Scheme, job)
+		if err != nil {
+			return err
+		}
+		if err = c.ensureCheckRBAC(ref); err != nil {
+			return fmt.Errorf("error ensuring rbac for check job %s, reason: %s", job.Name, err)
 		}
 
 		log.Infoln("Created check job:", job.Name)

pkg/backup/backupsession.go

@@ -40,7 +40,6 @@ type BackupSessionController struct {
 	StashInformerFactory stashinformers.SharedInformerFactory
 	MaxNumRequeues       int
 	NumThreads           int
-	EnableRBAC           bool // rbac for check job
 	ResyncPeriod         time.Duration
 	//backupConfiguration
 	BackupConfigurationName string

pkg/cmds/backup.go

@@ -130,7 +130,6 @@ func NewCmdBackup() *cobra.Command {
 	cmd.Flags().BoolVar(&opt.RunViaCron, "run-via-cron", opt.RunViaCron, "Run backup periodically via cron.")
 	cmd.Flags().StringVar(&opt.DockerRegistry, "docker-registry", opt.DockerRegistry, "Check job image registry.")
 	cmd.Flags().StringVar(&opt.ImageTag, "image-tag", opt.ImageTag, "Check job image tag.")
-	cmd.Flags().BoolVar(&opt.EnableRBAC, "enable-rbac", opt.EnableRBAC, "Enable RBAC")
 
 	return cmd
 }

pkg/cmds/run_backup.go

@@ -66,7 +66,6 @@ func NewCmdRunBackup() *cobra.Command {
 	cmd.Flags().BoolVar(&con.SetupOpt.EnableCache, "enable-cache", con.SetupOpt.EnableCache, "Specify weather to enable caching for restic")
 	cmd.Flags().IntVar(&con.SetupOpt.MaxConnections, "max-connections", con.SetupOpt.MaxConnections, "Specify maximum concurrent connections for GCS, Azure and B2 backend")
 	cmd.Flags().BoolVar(&con.Metrics.Enabled, "metrics-enabled", con.Metrics.Enabled, "Specify weather to export Prometheus metrics")
-	cmd.Flags().BoolVar(&con.EnableRBAC, "enable-rbac", con.EnableRBAC, "Enable RBAC")
 	cmd.Flags().StringVar(&con.Metrics.PushgatewayURL, "pushgateway-url", con.Metrics.PushgatewayURL, "URL of Prometheus pushgateway used to cache backup metrics")
 
 	return cmd

pkg/cmds/server/options.go

@@ -20,7 +20,6 @@ import (
 )
 
 type ExtraOptions struct {
-	EnableRBAC              bool
 	StashImageTag           string
 	DockerRegistry          string
 	MaxNumRequeues          int
@@ -47,7 +46,6 @@ func NewExtraOptions() *ExtraOptions {
 }
 
 func (s *ExtraOptions) AddGoFlags(fs *flag.FlagSet) {
-	fs.BoolVar(&s.EnableRBAC, "rbac", s.EnableRBAC, "Enable RBAC for operator")
 	fs.StringVar(&s.ScratchDir, "scratch-dir", s.ScratchDir, "Directory used to store temporary files. Use an `emptyDir` in Kubernetes.")
 	fs.StringVar(&s.StashImageTag, "image-tag", s.StashImageTag, "Image tag for sidecar, init-container, check-job and recovery-job")
 	fs.StringVar(&s.DockerRegistry, "docker-registry", s.DockerRegistry, "Docker image registry for sidecar, init-container, check-job, recovery-job and kubectl-job")
@@ -71,7 +69,6 @@ func (s *ExtraOptions) AddFlags(fs *pflag.FlagSet) {
 func (s *ExtraOptions) ApplyTo(cfg *controller.Config) error {
 	var err error
 
-	cfg.EnableRBAC = s.EnableRBAC
 	cfg.StashImageTag = s.StashImageTag
 	cfg.DockerRegistry = s.DockerRegistry
 	cfg.MaxNumRequeues = s.MaxNumRequeues

pkg/controller/backup_configuration.go

@@ -205,34 +205,33 @@ func (c *StashController) EnsureCronJob(backupConfiguration *api_v1beta1.BackupC
 	// if RBAC is enabled then ensure respective ClusterRole,RoleBinding,ServiceAccount etc.
 	serviceAccountName := "default"
 
-	if c.EnableRBAC {
-		if backupConfiguration.Spec.RuntimeSettings.Pod != nil &&
-			backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
-			// ServiceAccount has been specified, so use it.
-			serviceAccountName = backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName
-		} else {
-			// ServiceAccount hasn't been specified. so create new one with same name as BackupConfiguration object.
-			serviceAccountName = meta.Name
+	if backupConfiguration.Spec.RuntimeSettings.Pod != nil &&
+		backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
+		// ServiceAccount has been specified, so use it.
+		serviceAccountName = backupConfiguration.Spec.RuntimeSettings.Pod.ServiceAccountName
+	} else {
+		// ServiceAccount hasn't been specified. so create new one with same name as BackupConfiguration object.
+		serviceAccountName = meta.Name
 
-			_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, meta, func(in *core.ServiceAccount) *core.ServiceAccount {
-				core_util.EnsureOwnerReference(&in.ObjectMeta, ref)
-				if in.Labels == nil {
-					in.Labels = map[string]string{}
-				}
-				in.Labels[util.LabelApp] = util.AppLabelStash
-				return in
-			})
-			if err != nil {
-				return err
+		_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, meta, func(in *core.ServiceAccount) *core.ServiceAccount {
+			core_util.EnsureOwnerReference(&in.ObjectMeta, ref)
+			if in.Labels == nil {
+				in.Labels = map[string]string{}
 			}
-		}
-
-		// now ensure RBAC stuff for this CronJob
-		err := c.ensureCronJobRBAC(ref, serviceAccountName)
+			in.Labels[util.LabelApp] = util.AppLabelStash
+			return in
+		})
 		if err != nil {
 			return err
 		}
 	}
+
+	// now ensure RBAC stuff for this CronJob
+	err = c.ensureCronJobRBAC(ref, serviceAccountName)
+	if err != nil {
+		return err
+	}
+
 	_, _, err = batch_util.CreateOrPatchCronJob(c.kubeClient, meta, func(in *batch_v1beta1.CronJob) *batch_v1beta1.CronJob {
 		//set backup-configuration as cron-job owner
 		core_util.EnsureOwnerReference(&in.ObjectMeta, ref)
@@ -255,9 +254,7 @@ func (c *StashController) EnsureCronJob(backupConfiguration *api_v1beta1.BackupC
 				},
 			})
 		in.Spec.JobTemplate.Spec.Template.Spec.RestartPolicy = core.RestartPolicyNever
-		if c.EnableRBAC {
-			in.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = serviceAccountName
-		}
+		in.Spec.JobTemplate.Spec.Template.Spec.ServiceAccountName = serviceAccountName
 		return in
 	})
 

pkg/controller/backup_session.go

@@ -156,35 +156,33 @@ func (c *StashController) ensureBackupJob(backupSession *api_v1beta1.BackupSessi
 	serviceAccountName := "default"
 
 	// if RBAC is enabled then ensure respective RBAC stuffs
-	if c.EnableRBAC {
-		if backupConfig.Spec.RuntimeSettings.Pod != nil && backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
-			serviceAccountName = backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName
-		} else {
-			// ServiceAccount hasn't been specified. so create new one.
-			serviceAccountName = backupConfig.Name
-			saMeta := metav1.ObjectMeta{
-				Name:      serviceAccountName,
-				Namespace: backupConfig.Namespace,
-			}
-			_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, saMeta, func(in *core.ServiceAccount) *core.ServiceAccount {
-				core_util.EnsureOwnerReference(&in.ObjectMeta, backupConfigRef)
-				if in.Labels == nil {
-					in.Labels = map[string]string{}
-				}
-				in.Labels[util.LabelApp] = util.AppLabelStash
-				return in
-			})
-			if err != nil {
-				return err
-			}
+	if backupConfig.Spec.RuntimeSettings.Pod != nil && backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName != "" {
+		serviceAccountName = backupConfig.Spec.RuntimeSettings.Pod.ServiceAccountName
+	} else {
+		// ServiceAccount hasn't been specified. so create new one.
+		serviceAccountName = backupConfig.Name
+		saMeta := metav1.ObjectMeta{
+			Name:      serviceAccountName,
+			Namespace: backupConfig.Namespace,
 		}
-
-		err := c.ensureBackupJobRBAC(backupConfigRef, serviceAccountName)
+		_, _, err := core_util.CreateOrPatchServiceAccount(c.kubeClient, saMeta, func(in *core.ServiceAccount) *core.ServiceAccount {
+			core_util.EnsureOwnerReference(&in.ObjectMeta, backupConfigRef)
+			if in.Labels == nil {
+				in.Labels = map[string]string{}
+			}
+			in.Labels[util.LabelApp] = util.AppLabelStash
+			return in
+		})
 		if err != nil {
 			return err
 		}
 	}
 
+	err = c.ensureBackupJobRBAC(backupConfigRef, serviceAccountName)
+	if err != nil {
+		return err
+	}
+
 	// get repository for backupConfig
 	repository, err := c.stashClient.StashV1alpha1().Repositories(backupConfig.Namespace).Get(
 		backupConfig.Spec.Repository.Name,

pkg/controller/config.go

@@ -26,7 +26,6 @@ const (
 )
 
 type config struct {
-	EnableRBAC              bool
 	StashImageTag           string
 	DockerRegistry          string
 	MaxNumRequeues          int
@@ -94,10 +93,8 @@ func (c *Config) New() (*StashController, error) {
 		}
 	}
 
-	if ctrl.EnableRBAC {
-		if err := ctrl.ensureSidecarClusterRole(); err != nil {
-			return nil, err
-		}
+	if err := ctrl.ensureSidecarClusterRole(); err != nil {
+		return nil, err
 	}
 
 	ctrl.initNamespaceWatcher()