manager service account

nitzanzuler · nitzanzuler · commit e1ec78afb037 · 2024-10-29T11:47:02.000+02:00
diff --git a/wiz-admission-controller/templates/_helpers.tpl b/wiz-admission-controller/templates/_helpers.tpl
@@ -135,6 +135,11 @@ Create the name of the service account to use
 {{ coalesce (.Values.serviceAccount.name) (include "wiz-admission-controller.fullname" .) }}
 {{- end }}
 
+{{- define "wiz-admission-controller.manager.serviceAccountName" -}}
+{{ coalesce (.Values.wizManager.serviceAccount.name) (include "wiz-admission-controller-manager.name" .) }}
+{{- end }}
+
+
 {{- define "wiz-admission-controller.secretApiTokenName" -}}
 {{ coalesce (.Values.global.wizApiToken.secret.name) (.Values.wizApiToken.secret.name) (printf "%s-%s" .Release.Name "api-token") }}
 {{- end }}
diff --git a/wiz-admission-controller/templates/cronjobmanager.yaml b/wiz-admission-controller/templates/cronjobmanager.yaml
@@ -36,7 +36,7 @@ spec:
           imagePullSecrets:
             {{- toYaml . | nindent 12 }}
           {{- end }}
-          serviceAccountName: {{ include "wiz-admission-controller.serviceAccountName" . }}
+          serviceAccountName: {{ include "wiz-admission-controller.manager.serviceAccountName" . }}
           securityContext:
             {{- if hasKey .Values.global "lowPrivilegePodSecurityPolicy" }}
               {{- toYaml .Values.global.lowPrivilegePodSecurityPolicy | nindent 12 }}
diff --git a/wiz-admission-controller/templates/serviceaccount.yaml b/wiz-admission-controller/templates/serviceaccount.yaml
@@ -74,10 +74,24 @@ roleRef:
 
 {{- if .Values.wizManager.enabled -}}
 ---
+{{- if .Values.wizManager.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "wiz-admission-controller.manager.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "wiz-admission-controller.labels" . | nindent 4 }}
+  {{- with .Values.wizManager.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: {{ printf "%s-pods-and-deployments-manager" (include "wiz-admission-controller.serviceAccountName" .) }}
+  name: {{ printf "%s-pods-and-deployments-manager" (include "wiz-admission-controller.manager.serviceAccountName" .) }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-admission-controller.labels" . | nindent 4 }}
@@ -93,16 +107,16 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: {{ printf "%s-pods-and-deployments" (include "wiz-admission-controller.serviceAccountName" .) }}
+  name: {{ printf "%s-pods-and-deployments" (include "wiz-admission-controller.manager.serviceAccountName" .) }}
   namespace: {{ .Release.Namespace | quote }}
   labels:
     {{- include "wiz-admission-controller.labels" . | nindent 4 }}
 subjects:
   - kind: ServiceAccount
-    name: {{ include "wiz-admission-controller.serviceAccountName" . }}
+    name: {{ include "wiz-admission-controller.manager.serviceAccountName" . }}
     namespace: {{ .Release.Namespace | quote }}
 roleRef:
   kind: Role
-  name: {{ printf "%s-pods-and-deployments-reader-manager" (include "wiz-admission-controller.serviceAccountName" .) }}
+  name: {{ printf "%s-pods-and-deployments-manager" (include "wiz-admission-controller.manager.serviceAccountName" .) }}
   apiGroup: rbac.authorization.k8s.io
 {{- end }}
diff --git a/wiz-admission-controller/values.yaml b/wiz-admission-controller/values.yaml
@@ -432,6 +432,17 @@ wizManager:
   schedule: "0 * * * *"  # Every 1 hour
   timeoutSeconds: 240 # The timeout for the manager job in seconds.
   cleanupJobSeconds: 600 # The time in seconds after which the job should be deleted.
+
+  # K8s service account to be used by the manager
+  serviceAccount:
+    # If `create` is set to `false`` an existing service account will be used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If empty, a name is generated using the nameOverride
+    name: ""
+
   rolloutRestart:
     wizForceEnabled: true # Wiz initiated remote updates.
     interval: "168h"  # 1 week
