chore: use starboard-system namespace to install the operator (aquase…

…curity#779)

Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>

.github/workflows/build.yaml

@@ -147,17 +147,15 @@ jobs:
       - name: Run integration tests
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-                 -f deploy/crd/configauditreports.crd.yaml \
-                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
-                 -f deploy/crd/ciskubebenchreports.crd.yaml
+            -f deploy/crd/configauditreports.crd.yaml \
+            -f deploy/crd/clusterconfigauditreports.crd.yaml \
+            -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make itests-starboard-operator
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
       - name: Upload code coverage
         uses: codecov/codecov-action@v2
@@ -196,17 +194,15 @@ jobs:
       - name: Run integration tests
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-                 -f deploy/crd/configauditreports.crd.yaml \
-                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
-                 -f deploy/crd/ciskubebenchreports.crd.yaml
+            -f deploy/crd/configauditreports.crd.yaml \
+            -f deploy/crd/clusterconfigauditreports.crd.yaml \
+            -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make integration-operator-conftest
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
       - name: Upload code coverage
         uses: codecov/codecov-action@v2

.github/workflows/release.yaml

@@ -95,18 +95,15 @@ jobs:
       - name: Run integration tests
         run: |
           kubectl apply -f deploy/crd/vulnerabilityreports.crd.yaml \
-                 -f deploy/crd/configauditreports.crd.yaml \
-                 -f deploy/crd/clusterconfigauditreports.crd.yaml \
-                 -f deploy/crd/ciskubebenchreports.crd.yaml
+            -f deploy/crd/configauditreports.crd.yaml \
+            -f deploy/crd/clusterconfigauditreports.crd.yaml \
+            -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make itests-starboard-operator
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
-          OPERATOR_SERVICE_ACCOUNT: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
   integration-operator-conftest:
     name: Integration / Operator / Conftest
@@ -144,14 +141,11 @@ jobs:
                  -f deploy/crd/clusterconfigauditreports.crd.yaml \
                  -f deploy/crd/ciskubebenchreports.crd.yaml
           kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-            -f deploy/static/02-starboard-operator.sa.yaml \
-            -f deploy/static/03-starboard-operator.clusterrole.yaml \
-            -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+            -f deploy/static/02-starboard-operator.rbac.yaml
           make integration-operator-conftest
         env:
           KUBECONFIG: /home/runner/.kube/config
-          OPERATOR_NAMESPACE: starboard-operator
-          OPERATOR_SERVICE_ACCOUNT: starboard-operator
+          OPERATOR_NAMESPACE: starboard-system
           OPERATOR_TARGET_NAMESPACES: default
   release:
     name: Release

CONTRIBUTING.md

@@ -178,9 +178,9 @@ code if any of the generated files is not up-to-date. We're running it as a step
 
 ## Test Starboard Operator
 
-You can deploy the operator in the `starboard-operator` namespace and configure it to watch the `default`
-namespace. In OLM terms such install mode is called *SingleNamespace*. The *SingleNamespace* mode is good to get
-started with a basic development workflow. For other install modes see [Operator Multitenancy with OperatorGroups][olm-operator-groups].
+You can deploy the operator in the `starboard-system` namespace and configure it to watch the `default` namespace.
+In OLM terms such install mode is called *SingleNamespace*. The *SingleNamespace* mode is good to get started with a
+basic development workflow. For other install modes see [Operator Multitenancy with OperatorGroups][olm-operator-groups].
 
 ### Prerequisites
 
@@ -196,18 +196,16 @@ started with a basic development workflow. For other install modes see [Operator
 
    ```
    kubectl apply -f deploy/static/01-starboard-operator.ns.yaml \
-     -f deploy/static/02-starboard-operator.sa.yaml \
-     -f deploy/static/03-starboard-operator.clusterrole.yaml \
-     -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+     -f deploy/static/02-starboard-operator.rbac.yaml
    ```
 
-   This will create the `starboard-operator` namespace, and the `starboard-operator` service account. Beyond that,
+   This will create the `starboard-system` namespace, and the `starboard-operator` service account. Beyond that,
    it will create the `starboard-operator` ClusterRole and bind it to the `starboard-operator` service account in the
-   `starboard-operator` namespace via the `starboard-operator` ClusterRoleBinding.
+   `starboard-system` namespace via the `starboard-operator` ClusterRoleBinding.
 3. (Optional) Create configuration objects:
 
    ```
-   kubectl apply -f deploy/static/05-starboard-operator.config.yaml
+   kubectl apply -f deploy/static/03-starboard-operator.config.yaml
    ```
 
 ### In cluster
@@ -222,7 +220,7 @@ started with a basic development workflow. For other install modes see [Operator
    ```
    kind load docker-image aquasec/starboard-operator:dev
    ```
-3. Create the `starboard-operator` Deployment in the `starboard-operator` namespace to run the operator's container:
+3. Create the `starboard-operator` Deployment in the `starboard-system` namespace to run the operator's container:
 
    ```
    kubectl apply -k deploy/static
@@ -233,7 +231,7 @@ started with a basic development workflow. For other install modes see [Operator
 1. Run the main method of the operator program:
 
    ```
-   OPERATOR_NAMESPACE=starboard-operator \
+   OPERATOR_NAMESPACE=starboard-system \
      OPERATOR_TARGET_NAMESPACES=default \
      OPERATOR_LOG_DEV_MODE=true \
      OPERATOR_CIS_KUBERNETES_BENCHMARK_ENABLED=true \
@@ -248,11 +246,9 @@ started with a basic development workflow. For other install modes see [Operator
 
 ```
 kubectl delete -k deploy/static
-kubectl delete -f deploy/static/05-starboard-operator.config.yaml
-kubectl delete -f deploy/static/01-starboard-operator.ns.yaml \
-  -f deploy/static/02-starboard-operator.sa.yaml \
-  -f deploy/static/03-starboard-operator.clusterrole.yaml \
-  -f deploy/static/04-starboard-operator.clusterrolebinding.yaml
+kubectl delete -f deploy/static/03-starboard-operator.config.yaml
+kubectl delete -f deploy/static/02-starboard-operator.rbac.yaml \
+  -f deploy/static/01-starboard-operator.ns.yaml
 kubectl delete -f deploy/crd/vulnerabilityreports.crd.yaml \
   -f deploy/crd/configauditreports.crd.yaml \
   -f deploy/crd/clusterconfigauditreports.crd.yaml \
@@ -280,7 +276,7 @@ chmod +x install.sh
 
 ### Build the Catalog Image
 
-The Starboard Operator metadata is formatted in *packagemanifest* layout so you need to place it in the directory
+The Starboard Operator metadata is formatted in *packagemanifest* layout, so you need to place it in the directory
 structure of the [community-operators] repository.
 
 ```

build/mkdocs-material/Dockerfile

@@ -1,4 +1,4 @@
-FROM squidfunk/mkdocs-material:7.3.1
+FROM squidfunk/mkdocs-material:7.3.4
 
 ## If you want to see exactly the same version as is published to GitHub pages
 ## use a private image for insiders, which requires authentication.

deploy/static/01-starboard-operator.ns.yaml

@@ -2,4 +2,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: starboard-operator
+  name: starboard-system

deploy/static/03-starboard-operator.clusterrole.yaml → deploy/static/02-starboard-operator.rbac.yaml

@@ -1,9 +1,14 @@
 ---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: starboard-operator
+  namespace: starboard-system
+---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: starboard-operator
-  namespace: starboard-operator
 rules:
   - apiGroups:
       - ""
@@ -115,3 +120,16 @@ rules:
       - create
       - get
       - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: starboard-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: starboard-operator
+subjects:
+  - kind: ServiceAccount
+    name: starboard-operator
+    namespace: starboard-system

deploy/static/05-starboard-operator.config.yaml → deploy/static/03-starboard-operator.config.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: starboard
-  namespace: starboard-operator
+  namespace: starboard-system
   labels:
     "app.kubernetes.io/managed-by": "starboard"
 data:
@@ -15,15 +15,15 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: starboard
-  namespace: starboard-operator
+  namespace: starboard-system
   labels:
     "app.kubernetes.io/managed-by": "starboard"
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: starboard-trivy-config
-  namespace: starboard-operator
+  namespace: starboard-system
   labels:
     "app.kubernetes.io/managed-by": "starboard"
 data:
@@ -39,7 +39,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: starboard-polaris-config
-  namespace: starboard-operator
+  namespace: starboard-system
   labels:
     "app.kubernetes.io/managed-by": "starboard"
 data:

deploy/static/06-starboard-operator.deployment.yaml → deploy/static/04-starboard-operator.deployment.yaml

@@ -3,7 +3,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: starboard-operator
-  namespace: starboard-operator
+  namespace: starboard-system
   labels:
     app: starboard-operator
 spec:
@@ -34,7 +34,7 @@ spec:
                 - ALL
           env:
             - name: OPERATOR_NAMESPACE
-              value: "starboard-operator"
+              value: "starboard-system"
             - name: OPERATOR_TARGET_NAMESPACES
               value: "default"
             - name: OPERATOR_LOG_DEV_MODE

deploy/static/kustomization.yaml

@@ -1,5 +1,5 @@
 resources:
-  - 06-starboard-operator.deployment.yaml
+  - 04-starboard-operator.deployment.yaml
 images:
   - name: docker.io/aquasec/starboard-operator
     newName: docker.io/aquasec/starboard-operator

docs/integrations/vulnerability-scanners/aqua-enterprise.md

@@ -54,7 +54,7 @@ kubectl create secret generic starboard-aqua-config -n <starboard_namespace> \
     AQUA_CONSOLE_PASSWORD=<your password>
 
     helm install starboard-operator ./deploy/helm \
-      -n starboard-operator --create-namespace \
+      --namespace starboard-system --create-namespace \
       --set="targetNamespaces=default" \
       --set="operator.vulnerabilityReportsPlugin=Aqua" \
       --set="aqua.imageRef=docker.io/aquasec/scanner:5.3" \

docs/operator/installation/kubectl.md

@@ -4,8 +4,8 @@ You can install the operator with provided static YAML manifests with fixed valu
 shortcomings. For example, if you want to change the container image or modify default configuration settings, you have
 to edit existing manifests or customize them with tools such as [Kustomize].
 
-As an example, let's install the operator in the `starboard-operator` namespace and configure it to
-watch the `default` namespace:
+As an example, let's install the operator in the `starboard-system` namespace and configure it to watch the `default`
+namespace:
 
 1. Send custom resource definitions to the Kubernetes API:
    ```
@@ -17,51 +17,45 @@ watch the `default` namespace:
 2. Send the following Kubernetes objects definitions to the Kubernetes API:
    ```
    kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/01-starboard-operator.ns.yaml \
-     -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/02-starboard-operator.sa.yaml \
-     -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/03-starboard-operator.clusterrole.yaml \
-     -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/04-starboard-operator.clusterrolebinding.yaml
+     -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/02-starboard-operator.rbac.yaml
    ```
 3. (Optional) Configure Starboard by creating the `starboard` ConfigMap and the `starboard` secret in
-   the `starboard-operator` namespace. For example, you can use Trivy
+   the `starboard-system` namespace. For example, you can use Trivy
    in [ClientServer](./../../integrations/vulnerability-scanners/trivy.md#clientserver) mode or
    [Aqua Enterprise](./../../integrations/vulnerability-scanners/aqua-enterprise.md) as an active vulnerability scanner.
    If you skip this step, the operator will ensure [configuration objects](./../../settings.md)
    on startup with the default settings:
    ```
-   kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/05-starboard-operator.config.yaml
+   kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/03-starboard-operator.config.yaml
    ```
    Review the default values and makes sure the operator is configured properly:
    ```
-   kubectl describe cm starboard starboard-trivy-config starboard-polaris-config -n starboard-operator
+   kubectl describe cm starboard starboard-trivy-config starboard-polaris-config -n starboard-system
    ```
-4. Finally, create the `starboard-operator` Deployment in the `starboard-operator`
-   namespace to start the operator's pod:
+4. Finally, create the `starboard-operator` Deployment in the `starboard-system` namespace to start the operator's pod:
    ```
-   kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/06-starboard-operator.deployment.yaml
+   kubectl apply -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/04-starboard-operator.deployment.yaml
    ```
-5. To confirm that the operator is running, check the number of replicas created by
-   the `starboard-operator` Deployment in the `starboard-operator` namespace:
+5. To confirm that the operator is running, check the number of replicas created by the `starboard-operator` Deployment
+   in the `starboard-system` namespace:
    ```console
-   $ kubectl get deployment -n starboard-operator
+   $ kubectl get deployment -n starboard-system
    NAME                 READY   UP-TO-DATE   AVAILABLE   AGE
    starboard-operator   1/1     1            1           11m
    ```
-   If for some reason it's not ready yet, check the logs of the Deployment for
-   errors:
+   If for some reason it's not ready yet, check the logs of the Deployment for errors:
    ```
-   kubectl logs deployment/starboard-operator -n starboard-operator
+   kubectl logs deployment/starboard-operator -n starboard-system
    ```
 
 ## Uninstall
 
 You can uninstall the operator with the following command:
 
 ```
-kubectl delete -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/06-starboard-operator.deployment.yaml \
-  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/05-starboard-operator.config.yaml \
-  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/04-starboard-operator.clusterrolebinding.yaml \
-  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/03-starboard-operator.clusterrole.yaml \
-  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/02-starboard-operator.sa.yaml \
+kubectl delete -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/04-starboard-operator.deployment.yaml \
+  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/03-starboard-operator.config.yaml \
+  -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/02-starboard-operator.rbac.yaml \
   -f https://raw.githubusercontent.com/aquasecurity/starboard/{{ var.tag }}/deploy/static/01-starboard-operator.ns.yaml
 ```