From ebc71ff8eca7ecf0560493d5cdafc14e34c783c9 Mon Sep 17 00:00:00 2001
From: Mark Burnett <mark.m.burnett@gmail.com>
Date: Fri, 16 Feb 2018 09:08:07 -0600
Subject: [PATCH] Fix: Let armada reach all namespaces

These permissions are too generous for the long term, but resolve an
immediate issue where armada is unable to query and manage pods in other
namespaces.

Change-Id: Ib8137b7c7f1a42203be1a2842907aac6fde09468
---
 charts/armada/templates/deployment-api.yaml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/charts/armada/templates/deployment-api.yaml b/charts/armada/templates/deployment-api.yaml
index e2b18e77..d78adc1f 100644
--- a/charts/armada/templates/deployment-api.yaml
+++ b/charts/armada/templates/deployment-api.yaml
@@ -53,6 +53,19 @@ roleRef:
   name: armada-api-runner
   apiGroup: rbac.authorization.k8s.io
 ---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: armada-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+---
 apiVersion: apps/v1beta1
 kind: Deployment
 metadata: