From 873672952e945cfc90e9e1cba0630d6551cab644 Mon Sep 17 00:00:00 2001
From: MengxinLiu <mengxin@alauda.io>
Date: Tue, 9 Jul 2019 11:42:21 +0800
Subject: [PATCH] fix: remove dependency on cluster-admin

---
 yamls/cm.yaml  | 22 ----------------------
 yamls/ovn.yaml | 42 +++++++++---------------------------------
 2 files changed, 9 insertions(+), 55 deletions(-)
 delete mode 100644 yamls/cm.yaml

diff --git a/yamls/cm.yaml b/yamls/cm.yaml
deleted file mode 100644
index c185726b36d..00000000000
--- a/yamls/cm.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: ovn-config
-  namespace: kube-ovn
-data:
-  OVN-NB-SOCKET: ""
-  OVN-NB-HOST: "0.0.0.0"
-  OVN-NB-PORT: 6641
-  KUBECONFIG: ""
-  DEFAULT-LS: "ovn-default"
-  DEFAULT-CIDR: "10.16.0.0/16"
-  DEFAULT-GATEWAY: "10.16.0.1"
-  DEFAULT-EXCLUDE-IPS: "10.16.0.0..10.16.0.10"
-  CLUSTER-ROUTER: "ovn-cluster"
-  NODE-SWITCH: "join"
-  NODE-SWITCH-CIDR: "100.64.0.0/16"
-  NODE-SWITCH-GATEWAY: "100.64.0.1"
-  CLUSTER-TCP-LOADBALANCER: "cluster-tcp-loadbalancer"
-  CLUSTER-UDP-LOADBALANCER: "cluster-udp-loadbalancer"
-  BIND-SOCKET: "/var/run/cniserver.sock"
-  OVS-SOCKET: ""
diff --git a/yamls/ovn.yaml b/yamls/ovn.yaml
index 753bd2a13e9..3a50b1b8403 100644
--- a/yamls/ovn.yaml
+++ b/yamls/ovn.yaml
@@ -23,24 +23,28 @@ kind: ClusterRole
 metadata:
   annotations:
     rbac.authorization.k8s.io/system-only: "true"
-  name: system:ovn-reader
+  name: system:ovn
 rules:
   - apiGroups:
       - ""
-      - extensions
     resources:
       - pods
       - namespaces
-      - networkpolicies
       - nodes
+      - configmaps
     verbs:
       - get
       - list
       - watch
+      - patch
+      - update
   - apiGroups:
+      - ""
       - networking.k8s.io
     resources:
       - networkpolicies
+      - services
+      - endpoints
     verbs:
       - get
       - list
@@ -58,37 +62,9 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: ovn-cluster-reader
-roleRef:
-  name: cluster-reader
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: ovn
-    namespace: kube-ovn
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ovn-reader
-roleRef:
-  name: system:ovn-reader
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: ovn
-    namespace: kube-ovn
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cluster-admin-0
+  name: ovn
 roleRef:
-  name: cluster-admin
+  name: system:ovn
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
 subjects: