PodSecurityPolicy uses role instead of clusterRole where posible

Signed-off-by: ArthurSens <arthursens2005@gmail.com>
2025-11-08 12:01:02 +01:00 · 2021-03-25 20:59:49 +00:00 · 2021-03-25 20:59:49 +00:00 · c9b52c97f5
commit c9b52c97f5
parent 6497d78f2c
1 changed files with 11 additions and 11 deletions
--- a/jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet
+++ b/jsonnet/kube-prometheus/addons/podsecuritypolicies.libsonnet
@ -2,7 +2,7 @@ local restrictedPodSecurityPolicy = {
  apiVersion: 'policy/v1beta1',
  kind: 'PodSecurityPolicy',
  metadata: {
-    name: 'restricted',
+    name: 'kube-prometheus-restricted',
  },
  spec: {
    privileged: false,
@ -54,9 +54,9 @@ local restrictedPodSecurityPolicy = {
  restrictedPodSecurityPolicy: restrictedPodSecurityPolicy,

  alertmanager+: {
-    clusterRole: {
+    role: {
      apiVersion: 'rbac.authorization.k8s.io/v1',
-      kind: 'ClusterRole',
+      kind: 'Role',
      metadata: {
        name: 'alertmanager-' + $.values.alertmanager.name,
      },
@ -68,15 +68,15 @@ local restrictedPodSecurityPolicy = {
      }],
    },

-    clusterRoleBinding: {
+    roleBinding: {
      apiVersion: 'rbac.authorization.k8s.io/v1',
-      kind: 'ClusterRoleBinding',
+      kind: 'RoleBinding',
      metadata: {
        name: 'alertmanager-' + $.values.alertmanager.name,
      },
      roleRef: {
        apiGroup: 'rbac.authorization.k8s.io',
-        kind: 'ClusterRole',
+        kind: 'Role',
        name: 'alertmanager-' + $.values.alertmanager.name,
      },
      subjects: [{
@ -121,9 +121,9 @@ local restrictedPodSecurityPolicy = {
  },

  grafana+: {
-    clusterRole: {
+    role: {
      apiVersion: 'rbac.authorization.k8s.io/v1',
-      kind: 'ClusterRole',
+      kind: 'Role',
      metadata: {
        name: 'grafana',
      },
@ -135,15 +135,15 @@ local restrictedPodSecurityPolicy = {
      }],
    },

-    clusterRoleBinding: {
+    roleBinding: {
      apiVersion: 'rbac.authorization.k8s.io/v1',
-      kind: 'ClusterRoleBinding',
+      kind: 'RoleBinding',
      metadata: {
        name: 'grafana',
      },
      roleRef: {
        apiGroup: 'rbac.authorization.k8s.io',
-        kind: 'ClusterRole',
+        kind: 'Role',
        name: 'grafana',
      },
      subjects: [{