Define RBAC for running in cluster.

deploy/kustomization.yaml

@@ -7,4 +7,7 @@ resources:
 - vmop-role-binding.yaml
 - vmop-image-repository-pvc.yaml
 - vmop-config-map.yaml
-- vmop-deployment.yaml
+- vmop-deployment.yaml
+- vmrunner-role.yaml
+- vmrunner-service-account.yaml
+- vmrunner-role-binding.yaml

deploy/vmrunner-role-binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: vm-runner
+  labels:
+    app.kubernetes.io/name: vm-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: vm-runner
+subjects:
+- kind: ServiceAccount
+  name: vm-runner

deploy/vmrunner-role.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: vm-runner
+  labels:
+    app.kubernetes.io/name: vm-operator
+rules:
+- apiGroups:
+  - vmoperator.jdrupes.org
+  resources:
+  - vms
+  verbs:
+  - list
+  - get
+- apiGroups:
+  - vmoperator.jdrupes.org
+  resources:
+  - vms/status
+  verbs:
+  - patch

deploy/vmrunner-service-account.yaml

@@ -0,0 +1,6 @@
+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: vm-runner
+  labels:
+    app.kubernetes.io/name: vm-operator

org.jdrupes.vmoperator.manager/resources/org/jdrupes/vmoperator/manager/runnerSts.ftl.yaml

@@ -140,6 +140,7 @@ spec:
       <#if cr.spec.affinity??>
       affinity: ${ cr.spec.affinity.toString() }
       </#if>
+      serviceAccountName: vm-runner
   volumeClaimTemplates:
   - metadata:
       namespace: ${ cr.metadata.namespace.asString }