2

Using kustomize, I'd like to set namespace field for all my objects.

Here is my kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
patchesJson6902:
- patch: |-
    - op: replace
      path: /kind
      value: RoleBinding
  target:
    group: rbac.authorization.k8s.io
    kind: ClusterRoleBinding
    name: manager-rolebinding
    version: v1
resources:
- role_binding.yaml 
namespace: <NAMESPACE>

Here is my resource file: role_binding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: controller-manager
  namespace: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: system
spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  replicas: 1
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      containers:
      - command:
        - /manager
        args:
        - --enable-leader-election
        image: controller:latest
        name: manager

And kustomize output:

$ kustomize build      
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: controller-manager
  namespace: system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: <NAMESPACE>
spec:
  replicas: 1
  selector:
    matchLabels:
      control-plane: controller-manager
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      containers:
      - args:
        - --enable-leader-election
        command:
        - /manager
        image: controller:latest
        name: manager

How can I patch the namespace field in the RoleBinding and set it to <NAMESPACE>? In above example, it works perfectly for the Deployment resource but not for the RoleBinding.

Fabrice Jammes
  • 2,275
  • 1
  • 26
  • 39

2 Answers2

3

Here is a solution which solves the issue, using kustomize-v4.0.5:

cat <<EOF > kustomization.yaml 
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
patchesJson6902:
- patch: |-
    - op: replace
      path: /kind
      value: RoleBinding
    - op: add
      path: /metadata/namespace
      value: 
        <NAMESPACE>
  target:
    group: rbac.authorization.k8s.io
    kind: ClusterRoleBinding
    name: manager-rolebinding
    version: v1
resources:
- role_binding.yaml 
- service_account.yaml
namespace: <NAMESPACE>
EOF

cat <<EOF > role_binding.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: controller-manager
  namespace: system 
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: controller-manager
  namespace: system
spec:
  selector:
    matchLabels:
      control-plane: controller-manager
  replicas: 1
  template:
    metadata:
      labels:
        control-plane: controller-manager
    spec:
      containers:
      - command:
        - /manager
        args:
        - --enable-leader-election
        image: controller:latest
        name: manager
EOF

cat <<EOF > service_account.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: controller-manager
  namespace: system
EOF

Adding the ServiceAccount resource, and the Namespace field in the RoleBinding resource allows to correctly set the subject field in the RoleBinding.

Fabrice Jammes
  • 2,275
  • 1
  • 26
  • 39
1

Looking directly from the code:

// roleBindingHack is a hack for implementing the namespace transform
// for RoleBinding and ClusterRoleBinding resource types.
// RoleBinding and ClusterRoleBinding have namespace set on
// elements of the "subjects" field if and only if the subject elements
// "name" is "default".  Otherwise the namespace is not set.
//
// Example:
//
// kind: RoleBinding
// subjects:
// - name: "default" # this will have the namespace set
//   ...
// - name: "something-else" # this will not have the namespace set
//   ...

The ServiceAccount and the reference on the ClusterRoleBinding needs to have "default" as namespace or otherwise it won't be replaced.

Check the example below:

$ cat <<EOF > my-resources.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: my-service-account
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: my-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-clusterrole
subjects:
- kind: ServiceAccount
  name: my-service-account
  namespace: default
EOF

$ cat <<EOF > kustomization.yaml
namespace: foo-namespace

namePrefix: foo-prefix-

resources:
- my-resources.yaml
EOF

$ kustomize build
apiVersion: v1
kind: ServiceAccount
metadata:
  name: foo-prefix-my-service-account
  namespace: foo-namespace
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: foo-prefix-my-cluster-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-clusterrole
subjects:
- kind: ServiceAccount
  name: foo-prefix-my-service-account
  namespace: foo-namespace
Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
  • Thanks but I would prefer not changing the resource file as it comes from upstream and is used by third parties. Is there a way to manage it using only the `kustomization.yaml` file? – Fabrice Jammes Apr 01 '21 at 07:15
  • In addtion, this solution does not work if `ClusterRoleBinding` is changed to `RoleBinding`, as asked in original question. – Fabrice Jammes Apr 01 '21 at 08:32
  • This limitation refers to both `RoleBinding` and `ClusterRoleBinding` and makes it impossible to change their `namespace` if the subject elements `name` is not `default` in the first place. I am afraid that you can't achieve what you described solely with `kustomize`. – Wytrzymały Wiktor Apr 01 '21 at 13:58