install a default service account

operator/config/default/kustomization.yaml

@@ -3,3 +3,5 @@ resources:
   - ../crd
   - ../rbac
   - ../manager
+  - ./service_account.yaml
+  - ./rbac.yaml

operator/config/default/rbac.yaml

@@ -0,0 +1,14 @@
+# Grant `system:auth-delegator` to the `default/pulumi` service account,
+# to enable Kubernetes RBAC for the Pulumi workspace.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: default:pulumi:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator # permissions: TokenReview, SubjectAccessReview
+subjects:
+- kind: ServiceAccount
+  namespace: default
+  name: pulumi

operator/config/default/service_account.yaml

@@ -0,0 +1,8 @@
+# A service account named `default/pulumi` for the Pulumi workspace (execution environment).
+# If your Pulumi program uses the Kubernetes resource provider, this service account will be used to 
+# authenticate with the Kubernetes cluster.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: default
+  name: pulumi

operator/config/flux/network_policy.yaml

@@ -0,0 +1,26 @@
+# A network policy to allow Pulumi workspaces in the `default` namespace to
+# fetch Flux artifacts from the source-controller in the `flux-system` namespace.
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-pulumi-fetch-flux-artifacts
+  namespace: flux-system
+spec:
+  podSelector:
+    matchLabels:
+      app: source-controller
+  ingress:
+    - ports:
+        - protocol: TCP
+          port: http
+      from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: default
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/managed-by: pulumi-kubernetes-operator
+              app.kubernetes.io/name: pulumi
+              app.kubernetes.io/component: workspace
+  policyTypes:
+    - Ingress

operator/e2e/testdata/git-auth-nonroot/manifests.yaml

@@ -5,6 +5,25 @@ metadata:
   name: git-auth-nonroot
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: git-auth-nonroot
+  namespace: git-auth-nonroot
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: git-auth-nonroot:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: git-auth-nonroot
+  namespace: git-auth-nonroot
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: state
@@ -24,26 +43,6 @@ metadata:
 stringData:
   accessToken: $PULUMI_BOT_TOKEN
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: git-auth-nonroot
-  namespace: git-auth-nonroot
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: git-auth-nonroot:system:auth-delegator
-  namespace: git-auth-nonroot
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: git-auth-nonroot
-  namespace: git-auth-nonroot
----
 apiVersion: pulumi.com/v1
 kind: Stack
 metadata:

operator/e2e/testdata/random-yaml-nonroot/manifests.yaml

@@ -1,3 +1,4 @@
+---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
@@ -17,6 +18,8 @@ spec:
               kubernetes.io/metadata.name: random-yaml-nonroot
         - podSelector:
             matchLabels:
+              app.kubernetes.io/managed-by: pulumi-kubernetes-operator
+              app.kubernetes.io/name: pulumi
               app.kubernetes.io/component: workspace
   policyTypes:
     - Ingress
@@ -27,6 +30,25 @@ metadata:
   name: random-yaml-nonroot
 ---
 apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: random-yaml-nonroot
+  namespace: random-yaml-nonroot
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: random-yaml-nonroot:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: random-yaml-nonroot
+  namespace: random-yaml-nonroot
+---
+apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: state
@@ -50,26 +72,6 @@ spec:
   timeout: 60s
   url: https://github.com/pulumi/examples
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: random-yaml-nonroot
-  namespace: random-yaml-nonroot
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: random-yaml-nonroot:system:auth-delegator
-  namespace: random-yaml-nonroot
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:auth-delegator
-subjects:
-- kind: ServiceAccount
-  name: random-yaml-nonroot
-  namespace: random-yaml-nonroot
----
 apiVersion: pulumi.com/v1
 kind: Stack
 metadata:

operator/examples/random-yaml/stack.yaml

@@ -1,7 +1,27 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: random-yaml
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: random-yaml:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: random-yaml
+  namespace: default
+---
 apiVersion: pulumi.com/v1
 kind: Stack
 metadata:
   name: random-yaml
+  namespace: default
 spec:
   fluxSource:
     sourceRef:
@@ -24,5 +44,6 @@ spec:
         key: accessToken
   workspaceTemplate:
     spec:
+      serviceAccountName: random-yaml
       image: pulumi/pulumi:3.134.1-nonroot