feat: correct rbac for running in cluster

knechtionscoding · knechtionscoding · commit 54ccd8df8dbe · 2023-04-05T15:42:34.000+02:00
diff --git a/charts/ecr-cleanup/Chart.yaml b/charts/ecr-cleanup/Chart.yaml
@@ -20,10 +20,10 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.9
+version: 0.2.10
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.2.9"
+appVersion: "0.2.10"
diff --git a/charts/ecr-cleanup/README.md b/charts/ecr-cleanup/README.md
@@ -6,7 +6,7 @@ Deploys a job that cleans up an ECR repo based on the following rules.
 3. Has the container been tagged with the word `keep`
 4. Is the container the only tag in the ECR repository
 
-![Version: 0.2.9](https://img.shields.io/badge/Version-0.2.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.9](https://img.shields.io/badge/AppVersion-0.2.9-informational?style=flat-square)
+![Version: 0.2.10](https://img.shields.io/badge/Version-0.2.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.10](https://img.shields.io/badge/AppVersion-0.2.10-informational?style=flat-square)
 
 ## Values
 
diff --git a/charts/ecr-cleanup/templates/rbac.yaml b/charts/ecr-cleanup/templates/rbac.yaml
@@ -1,29 +1,29 @@
 apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
+kind: ClusterRole
 metadata:
-  namespace: {{ .Release.Namespace }}
   name: {{ .Values.serviceAccount.name }}
 rules:
-- apiGroups: ["v1"]
+- apiGroups: [""]
   resources: ["pods"]
   verbs: ["get", "watch", "list"]
-- apiGroups: ["apps/v1"]
-  resources: ["daemonsets ","deployments","statefulsets"]
+- apiGroups: ["apps"]
+  resources: ["daemonsets","deployments","statefulsets"]
   verbs: ["get", "watch", "list"]
-- apiGroups: ["batch/v1"]
+- apiGroups: ["batch"]
   resources: ["jobs","cronjobs"]
   verbs: ["get", "watch", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
+# This cluster role binding allows anyone in the "manager" group to
+# read secrets in any namespace.
+kind: ClusterRoleBinding
 metadata:
   name: {{ .Values.serviceAccount.name }}
-  namespace: {{.Release.Namespace}}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
-  kind: Role
+  kind: ClusterRole
   name: {{ .Values.serviceAccount.name }}
 subjects:
-- namespace: {{.Release.Namespace}}
-  kind: ServiceAccount
+- kind: ServiceAccount
   name: {{ .Values.serviceAccount.name }}
+  namespace: {{.Release.Namespace}}
