apiVersion: v1 kind: Namespace metadata: annotations: openshift.io/sa.scc.supplemental-groups: 1000700001/10000 #required for OpenShift openshift.io/sa.scc.uid-range: 1000700001/10000 #required for OpenShift labels: arcdata.microsoft.com/namespace: arc kubernetes.io/metadata.name: arc name: {{NAMESPACE}} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {{NAMESPACE}}:crb-deployer subjects: - kind: ServiceAccount name: sa-arcdata-deployer namespace: {{NAMESPACE}} roleRef: kind: ClusterRole name: {{NAMESPACE}}:cr-deployer apiGroup: rbac.authorization.k8s.io --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: arcdata-deployer-role rules: - apiGroups: - "" resources: - pods/log verbs: - get - apiGroups: - "" resources: - secrets verbs: - get - delete - apiGroups: - "" resourceNames: - sa-arc-webhook-job - sa-arc-bootstrapper resources: - serviceaccounts verbs: - delete - apiGroups: - apps resources: - deployments verbs: - delete - apiGroups: - rbac.authorization.k8s.io resources: - roles - rolebindings verbs: - delete - apiGroups: - batch resources: - jobs verbs: - create - get - list - delete - apiGroups: - arcdata.microsoft.com resources: - datacontrollers verbs: - delete --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: bootstrapper-grantor-role rules: - apiGroups: - "" resources: - pods verbs: - delete - get - list - patch - update - watch - apiGroups: - "" resources: - configmaps - persistentvolumeclaims - secrets verbs: - delete - apiGroups: - "" resources: - configmaps - events - persistentvolumeclaims - secrets - serviceaccounts - services verbs: - create - get - list - patch - update - watch - apiGroups: - apps resources: - daemonsets - deployments - replicasets - statefulsets verbs: - create - get - list - patch - update - watch - apiGroups: - rbac.authorization.k8s.io resources: - roles - rolebindings verbs: - create - get - list - patch - update - apiGroups: - sql.arcdata.microsoft.com - tasks.postgresql.arcdata.microsoft.com - tasks.sql.arcdata.microsoft.com - tasks.arcdata.microsoft.com - arcdata.microsoft.com resources: - "*" verbs: - create - get - list - watch - patch - update - apiGroups: - clusterconfig.azure.com resources: - azureclusteridentityrequests verbs: - create - delete - get - apiGroups: - clusterconfig.azure.com resources: - azureclusteridentityrequests/status verbs: - patch - update --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {{NAMESPACE}}:cr-deployer rules: - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - create - list - get - watch - apiGroups: - apiextensions.k8s.io resourceNames: - activedirectoryconnectors.arcdata.microsoft.com - sqlmanagedinstancemonitoringprofiles.arcdata.microsoft.com - datacontrollers.arcdata.microsoft.com - exporttasks.tasks.arcdata.microsoft.com - failovergroups.sql.arcdata.microsoft.com - kafkas.arcdata.microsoft.com - monitors.arcdata.microsoft.com - telemetrycollectors.arcdata.microsoft.com - postgresqls.arcdata.microsoft.com - postgresqlrestoretasks.tasks.postgresql.arcdata.microsoft.com - sqlmanagedinstancerestoretasks.tasks.sql.arcdata.microsoft.com - sqlmanagedinstances.sql.arcdata.microsoft.com - telemetryrouters.arcdata.microsoft.com resources: - customresourcedefinitions verbs: - update - patch - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - create - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations verbs: - delete - get - patch - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles verbs: - create - patch - get - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles verbs: - delete - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings verbs: - create - patch - get - apiGroups: - rbac.authorization.k8s.io resources: - clusterrolebindings verbs: - delete - apiGroups: - "" resources: - namespaces verbs: - create - list - apiGroups: - "" resources: - namespaces verbs: - get - patch - apiGroups: - "" resources: - nodes/stats - nodes/proxy - pods verbs: - list - get --- apiVersion: v1 kind: ServiceAccount metadata: name: sa-arcdata-deployer --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: bootstrapper-grantor-role-binding subjects: - kind: ServiceAccount name: sa-arcdata-deployer roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: bootstrapper-grantor-role --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: arcdata-deployer-role-binding subjects: - kind: ServiceAccount name: sa-arcdata-deployer roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: arcdata-deployer-role --- apiVersion: batch/v1 kind: Job metadata: name: arc-bootstrapper-job spec: template: spec: nodeSelector: kubernetes.io/os: linux containers: - name: bootstrapper image: mcr.microsoft.com/arcdata/arc-bootstrapper:v1.29.0_2024-04-09 imagePullPolicy: Always args: - -image - mcr.microsoft.com/arcdata/arc-bootstrapper:v1.29.0_2024-04-09 - -policy - Always - -chart - /opt/helm/arcdataservices - -bootstrap command: - /opt/bootstrapper/bin/bootstrapper resources: limits: cpu: 200m memory: 200Mi requests: cpu: 100m memory: 100Mi imagePullSecrets: - name: arc-private-registry restartPolicy: Never serviceAccountName: sa-arcdata-deployer ttlSecondsAfterFinished: 86400 #24 hours backoffLimit: 0