RBAC: Consolidate serviceaccounts and restrict rbac

Currently, services have two serviceaccounts: one specified in the chart that cannot read anything, and one injected via helm-toolkit that can read everything. This patch set refactors the logic to: - cleanup the roles and their binding automatically when the helm chart is deleted; - remove the need to separately mount a serviceaccount with secret; - better handling of namespaces resource restriction. Co-Authored-By: portdirect <pete@port.direct> Change-Id: I47d41e0cad9b5b002f59fc9652bad2cc025538dc
2017-12-07 09:34:05 -06:00 · 2017-12-07 09:34:05 -06:00 · 628fd3007d
commit 628fd3007d
parent 8b6d6c43cb
83 changed files with 311 additions and 632 deletions
--- a/calico/templates/daemonset-calico-etcd.yaml
+++ b/calico/templates/daemonset-calico-etcd.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.etcd -}}
 {{- end -}}
+
+{{- $serviceAccountName := "calico-etcd"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 # This manifest installs the Calico etcd on the kubeadm master.  This uses a DaemonSet
 # to force it to run on the master even when the master isn't schedulable, and uses
@ -76,7 +79,6 @@ spec:
            - name: var-etcd
              mountPath: /var/etcd
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: var-etcd
          hostPath:
            path: /var/etcd
--- a/calico/templates/daemonset-calico-node.yaml
+++ b/calico/templates/daemonset-calico-node.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_node -}}
 {{- end -}}
+
+{{- $serviceAccountName := "calico-cni-plugin"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 # This manifest installs the calico/node container, as well
 # as the Calico CNI plugins and network config on
@ -57,7 +60,7 @@ spec:
        # This, along with the annotation above marks this pod as a critical add-on.
        - key: CriticalAddonsOnly
          operator: Exists
-      serviceAccountName: calico-cni-plugin
+      serviceAccountName: {{ $serviceAccountName }}
      initContainers:
 {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
@ -160,7 +163,6 @@ spec:
            - mountPath: /host/etc/cni/net.d
              name: cni-net-dir
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        # Used by calico/node.
        - name: lib-modules
          hostPath:
--- a/calico/templates/deployment-calico-policy-controller.yaml
+++ b/calico/templates/deployment-calico-policy-controller.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.calico_policy_controller -}}
 {{- end -}}
+
+{{- $serviceAccountName := "calico-policy-controller"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 # This manifest deploys the Calico policy controller on Kubernetes.
 # See https://github.com/projectcalico/k8s-policy
@ -58,7 +61,7 @@ spec:
      # This, along with the annotation above marks this pod as a critical add-on.
      - key: CriticalAddonsOnly
        operator: Exists
-      serviceAccountName: calico-policy-controller
+      serviceAccountName: {{ $serviceAccountName }}
      initContainers:
 {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
@ -80,6 +83,4 @@ spec:
            # kubernetes.default to the correct service clusterIP.
            - name: CONFIGURE_ETC_HOSTS
              value: "true"
-      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
--- a/calico/templates/job-image-repo-sync.yaml
+++ b/calico/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "calico-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "calico" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -53,7 +57,6 @@ spec:
            - name: docker-socket
              mountPath: /var/run/docker.sock
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: calico-bin
          configMap:
            name: calico-bin
--- a/calico/templates/rbac-entrypoint.yaml
+++ b/calico/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/calico/values.yaml
+++ b/calico/values.yaml
@ -114,7 +114,4 @@ manifests:
  daemonset_calico_node: true
  deployment_calico_policy_controller: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  service_calico_etcd: true
-  serviceaccount_calico_cni_plugin: true
-  serviceaccount_calico_policy_controller: true
--- a/elasticsearch/templates/clusterrolebinding-client.yaml
+++ b/elasticsearch/templates/clusterrolebinding-client.yaml
@ -14,11 +14,20 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

-{{- if .Values.manifests.serviceaccount_calico_cni_plugin }}
+{{- if .Values.manifests.clusterrolebinding_client }}
 {{- $envAll := . }}
+{{- $serviceAccountName := "elasticsearch-client"}}
 ---
-apiVersion: v1
-kind: ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
 metadata:
-  name: calico-cni-plugin
+  name: run-elasticsearch-client
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: elasticsearch-runner
+  apiGroup: rbac.authorization.k8s.io
 {{- end }}
--- a/elasticsearch/templates/clusterrolebinding-data.yaml
+++ b/elasticsearch/templates/clusterrolebinding-data.yaml
@ -14,16 +14,17 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

-{{- if .Values.manifests.clusterrolebinding }}
+{{- if .Values.manifests.clusterrolebinding_data }}
 {{- $envAll := . }}
+{{- $serviceAccountName := "elasticsearch-data"}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
-  name: run-elasticsearch
+  name: run-elasticsearch-data
 subjects:
  - kind: ServiceAccount
-    name: elasticsearch
+    name: {{ $serviceAccountName }}
    namespace: {{ .Release.Namespace }}
 roleRef:
  kind: ClusterRole
--- a/elasticsearch/templates/configmap-etc.yaml
+++ b/elasticsearch/templates/configmap-etc.yaml
@ -26,8 +26,8 @@ data:
 {{- tuple .Values.conf.elasticsearch "etc/_elasticsearch.yml.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
  log4j2.properties: |+
 {{- tuple .Values.conf.elasticsearch "etc/_log4j2.properties.tpl" . | include "helm-toolkit.utils.configmap_templater" }}
-  action_file.yml:
+  action_file.yml: |-
 {{ toYaml .Values.conf.curator.action_file | indent 4 }}
-  config.yml:
+  config.yml: |-
 {{ toYaml .Values.conf.curator.config | indent 4 }}
 {{- end }}
--- a/elasticsearch/templates/cron-job-curator.yaml
+++ b/elasticsearch/templates/cron-job-curator.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- if .Capabilities.APIVersions.Has "batch/v2alpha1" }}
 {{- $envAll := . }}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.curator -}}
+
+{{- $serviceAccountName := "curator"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v2alpha1
 kind: CronJob
@ -32,6 +35,7 @@ spec:
    spec:
      template:
        spec:
+          serviceAccountName: {{ $serviceAccountName }}
          restartPolicy: OnFailure
          initContainers:
 {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container"  | indent 12 }}
@ -67,6 +71,5 @@ spec:
              configMap:
                name: elastic-etc
                defaultMode: 0444
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 12 }}
 {{- end }}
 {{- end }}
--- a/elasticsearch/templates/deployment-client.yaml
+++ b/elasticsearch/templates/deployment-client.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_client -}}
 {{- end -}}
+
+{{- $serviceAccountName := "elasticsearch-client"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@ -37,7 +40,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      serviceAccount: elasticsearch
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "elasticsearch" "client" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.client.timeout | default "600" }}
@ -124,7 +127,6 @@ spec:
            - name: storage
              mountPath: {{ .Values.conf.elasticsearch.path.data }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: elastic-logs
          emptyDir: {}
        - name: elastic-bin
--- a/elasticsearch/templates/deployment-master.yaml
+++ b/elasticsearch/templates/deployment-master.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_master -}}
 {{- end -}}
+
+{{- $serviceAccountName := "elasticsearch-master"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@ -37,7 +40,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      serviceAccount: elasticsearch
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "elasticsearch" "master" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.master.timeout | default "600" }}
@ -118,7 +121,6 @@ spec:
            - name: storage
              mountPath: {{ .Values.conf.elasticsearch.path.data }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: elastic-logs
          emptyDir: {}
        - name: elastic-bin
--- a/elasticsearch/templates/job-image-repo-sync.yaml
+++ b/elasticsearch/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "elasticsearch-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "elasticsearch" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/elasticsearch/templates/pod-helm-tests.yaml
+++ b/elasticsearch/templates/pod-helm-tests.yaml
@ -40,7 +40,6 @@ spec:
          subPath: helm-tests.sh
          readOnly: true
  volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }}
    - name: elastic-bin
      configMap:
        name: elastic-bin
--- a/elasticsearch/templates/rbac-entrypoint.yaml
+++ b/elasticsearch/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/elasticsearch/templates/statefulset-data.yaml
+++ b/elasticsearch/templates/statefulset-data.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.elasticsearch_data -}}
 {{- end -}}
+
+{{- $serviceAccountName := "elasticsearch-data"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: StatefulSet
@ -34,7 +37,7 @@ spec:
      labels:
 {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
-      serviceAccount: elasticsearch
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "elasticsearch" "data" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.data.timeout | default "600" }}
@ -115,7 +118,6 @@ spec:
            - name: storage
              mountPath: {{ .Values.conf.elasticsearch.path.data }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: elastic-logs
          emptyDir: {}
        - name: elastic-bin
--- a/elasticsearch/values.yaml
+++ b/elasticsearch/values.yaml
@ -133,9 +133,9 @@ conf:
  init:
    max_map_count: 262144
  curator:
-    schedule:  1 0 * * *
-    action_file: |
-      ---
+    #runs weekly
+    schedule:  "0 0 * * 0"
+    action_file:
      # Remember, leave a key empty if there is no value.  None will be a string,
      # not a Python "NoneType"
      #
@ -161,8 +161,7 @@ conf:
            stats_result:
            epoch:
            exclude: False
-    config: |
-      ---
+    config:
      # Remember, leave a key empty if there is no value.  None will be a string,
      # not a Python "NoneType"
      client:
@ -255,7 +254,8 @@ storage:

 manifests:
  clusterrole: true
-  clusterrolebinding: true
+  clusterrolebinding_client: true
+  clusterrolebinding_data: true
  configmap_bin: true
  configmap_etc: true
  cron_curator: true
@ -263,7 +263,6 @@ manifests:
  deployment_master: true
  job_image_repo_sync: true
  helm_tests: true
-  rbac_entrypoint: true
  serviceaccount: true
  service_data: true
  service_discovery: true
--- a/flannel/templates/daemonset-kube-flannel-ds.yaml
+++ b/flannel/templates/daemonset-kube-flannel-ds.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.flannel -}}
 {{- end -}}
+
+{{- $serviceAccountName := "flannel"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
@ -45,7 +48,7 @@ spec:
        - key: node-role.kubernetes.io/master
          operator: Exists
          effect: NoSchedule
-      serviceAccountName: flannel
+      serviceAccountName: {{ $serviceAccountName }}
      initContainers:
 {{ tuple $envAll .Values.pod_dependency list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
      containers:
@ -77,7 +80,6 @@ spec:
            - name: flannel-cfg
              mountPath: /etc/kube-flannel/
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: run
          hostPath:
            path: /run
--- a/flannel/templates/job-image-repo-sync.yaml
+++ b/flannel/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "flannel-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "flannel" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -53,7 +57,6 @@ spec:
            - name: docker-socket
              mountPath: /var/run/docker.sock
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: flannel-bin
          configMap:
            name: flannel-bin
--- a/flannel/templates/rbac-entrypoint.yaml
+++ b/flannel/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/flannel/values.yaml
+++ b/flannel/values.yaml
@ -84,5 +84,4 @@ manifests:
  configmap_kube_flannel_cfg: true
  daemonset_kube_flannel_ds: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  serviceaccount_flannel: true
--- a/calico/templates/serviceaccount-calico-policy-controller.yaml
+++ b/calico/templates/serviceaccount-calico-policy-controller.yaml
@ -14,11 +14,19 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

-{{- if .Values.manifests.serviceaccount_calico_policy_controller }}
-{{- $envAll := . }}
+{{- if .Values.manifests.clusterrolebinding_fluentbit }}
+{{- $serviceAccountName := "fluentbit"}}
 ---
-apiVersion: v1
-kind: ServiceAccount
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
 metadata:
-  name: calico-policy-controller
+  name: run-fluent-bit-logging
+subjects:
+  - kind: ServiceAccount
+    name: {{ $serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: fluent-logging-runner
+  apiGroup: rbac.authorization.k8s.io
 {{- end }}
--- a/fluent-logging/templates/clusterrolebinding-logging.yaml
+++ b/fluent-logging/templates/clusterrolebinding-logging.yaml
@ -14,14 +14,16 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */}}

-{{- if .Values.manifests.clusterrolebinding }}
+{{- if .Values.manifests.clusterrolebinding_logging }}
+{{- $serviceAccountName := "fluentd"}}
+---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: run-fluent-logging
 subjects:
  - kind: ServiceAccount
-    name: fluent-logging
+    name: {{ $serviceAccountName }}
    namespace: {{ .Release.Namespace }}
 roleRef:
  kind: ClusterRole
--- a/fluent-logging/templates/daemonset-fluent-bit.yaml
+++ b/fluent-logging/templates/daemonset-fluent-bit.yaml
@ -22,7 +22,11 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentbit -}}
 {{- end -}}
+
 {{- $mounts_fluentbit := .Values.pod.mounts.fluentbit.fluentbit }}
+
+{{- $serviceAccountName := "fluentbit"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
@ -37,7 +41,7 @@ spec:
      annotations:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      serviceAccount: fluent-logging
+      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.fluentbit.node_selector_key }}: {{ .Values.labels.fluentbit.node_selector_value }}
      hostNetwork: true
@ -73,7 +77,6 @@ spec:
              readOnly: true
 {{ if $mounts_fluentbit.volumeMounts }}{{ toYaml $mounts_fluentbit.volumeMounts | indent 8 }}{{ end }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: varlog
          hostPath:
            path: /var/log
--- a/fluent-logging/templates/deployment-fluentd.yaml
+++ b/fluent-logging/templates/deployment-fluentd.yaml
@ -21,7 +21,11 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.fluentd -}}
 {{- end -}}
+
 {{- $mounts_fluentd := .Values.pod.mounts.fluentd.fluentd }}
+
+{{- $serviceAccountName := "fluentd"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@ -38,7 +42,7 @@ spec:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      serviceAccount: fluent-logging
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "aggregator" "internal" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -69,7 +73,6 @@ spec:
              readOnly: true
 {{- if $mounts_fluentd.volumeMounts }}{{ toYaml $mounts_fluentd.volumeMounts | indent 12 }}{{- end }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: pod-etc-fluentd
          emptyDir: {}
        - name: fluent-logging-etc
--- a/fluent-logging/templates/job-image-repo-sync.yaml
+++ b/fluent-logging/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "fluent-logging-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "fluent-logging-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -53,7 +57,6 @@ spec:
            - name: docker-socket
              mountPath: /var/run/docker.sock
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: fluent-logging-bin
          configMap:
            name: fluent-logging-bin
--- a/fluent-logging/templates/rbac-entrypoint.yaml
+++ b/fluent-logging/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/fluent-logging/templates/serviceaccount.yaml
+++ b/fluent-logging/templates/serviceaccount.yaml
@ -1,22 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.serviceaccount }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: fluent-logging
-{{- end }}
--- a/fluent-logging/values.yaml
+++ b/fluent-logging/values.yaml
@ -217,14 +217,13 @@ pod:
      fluent_tests:

 manifests:
-  service_fluentd: true
+  clusterrole: true
+  clusterrolebinding_fluentbit: true
+  clusterrolebinding_logging: true
+  configmap_bin: true
+  configmap_etc: true
  deployment_fluentd: true
  daemonset_fluentbit: true
  job_image_repo_sync: true
  helm_tests: true
-  configmap_bin: true
-  configmap_etc: true
-  clusterrole: true
-  clusterrolebinding: true
-  rbac_entrypoint: true
-  serviceaccount: true
+  service_fluentd: true
--- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_init_container.tpl
@ -18,8 +18,6 @@ limitations under the License.
 {{- $envAll := index . 0 -}}
 {{- $deps := index . 1 -}}
 {{- $mounts := index . 2 -}}
-{{- $mountServiceAccount := dict "mountPath" "/var/run/secrets/kubernetes.io/serviceaccount" "name" "entrypoint-serviceaccount-secret" "readOnly" true -}}
-{{- $mountsEntrypoint := append $mounts $mountServiceAccount -}}
 - name: init
 {{ tuple $envAll "dep_check" | include "helm-toolkit.snippets.image" | indent 2 }}
  env:
@ -48,5 +46,5 @@ limitations under the License.
  command:
    - kubernetes-entrypoint
  volumeMounts:
-{{ toYaml $mountsEntrypoint | indent 4 }}
+{{ toYaml $mounts | indent 4 }}
 {{- end -}}
--- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_rbac.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_rbac.tpl
@ -1,86 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- define "helm-toolkit.snippets.kubernetes_entrypoint_rbac" -}}
-{{- $envAll := index . 0 -}}
-{{- $component := $envAll.Release.Name -}}
---
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: cluster-role-binding-entrypoint-{{ $component }}
-  annotations:
-    # Tiller sorts the execution of resources in the following order:
-    # Secret, ServiceAccount, Role, RoleBinding. The problem is that
-    # this Secret will not be created if ServiceAccount doesn't exist.
-    # The solution is to add pre-install hook so that these are created first.
-    helm.sh/hook: pre-install
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-role-entrypoint-{{ $component }}
-subjects:
-  - kind: ServiceAccount
-    name: service-account-entrypoint-{{ $component }}
-    namespace:  {{ $envAll.Release.Namespace }}
---
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: cluster-role-entrypoint-{{ $component }}
-  annotations:
-    # Tiller sorts the execution of resources in the following order:
-    # Secret, ServiceAccount, Role, RoleBinding. The problem is that
-    # this Secret will not be created if ServiceAccount doesn't exist.
-    # The solution is to add pre-install hook so that these are created first.
-    helm.sh/hook: pre-install
-rules:
-  - apiGroups:
-    - ""
-    - extensions
-    - batch
-    - apps
-    resources:
-    - pods
-    - services
-    - jobs
-    - endpoints
-    - daemonsets
-    verbs:
-    - get
-    - list
---
-apiVersion: v1
-kind: Secret
-metadata:
-  name: secret-entrypoint-{{ $component }}
-  namespace:  {{ $envAll.Release.Namespace }}
-  annotations:
-    kubernetes.io/service-account.name: service-account-entrypoint-{{ $component }}
-type: kubernetes.io/service-account-token
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: service-account-entrypoint-{{ $component }}
-  namespace:  {{ $envAll.Release.Namespace }}
-  annotations:
-    # Tiller sorts the execution of resources in the following order:
-    # Secret, ServiceAccount, Role, RoleBinding. The problem is that
-    # this Secret will not be created if ServiceAccount doesn't exist.
-    # The solution is to add pre-install hook so that these are created first.
-    helm.sh/hook: pre-install
-{{- end -}}
--- a/helm-toolkit/templates/snippets/_kubernetes_entrypoint_secret_mount.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_entrypoint_secret_mount.tpl
@ -1,24 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- define "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" -}}
-{{- $envAll := index . 0 -}}
-{{- $component := $envAll.Release.Name -}}
- name: entrypoint-serviceaccount-secret
-  secret:
-    secretName: secret-entrypoint-{{ $component }}
-    defaultMode: 420
-{{- end -}}
--- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_roles.tpl
@ -0,0 +1,68 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_roles" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 | replace "_" "-" }}
+{{- $saNamespace := index . 3 -}}
+{{- $releaseName := $envAll.Release.Name }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ $releaseName }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ $saName }}
+    namespace: {{ $saNamespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: {{ $releaseName }}-{{ $saNamespace }}-{{ $saName }}
+  namespace: {{ $saNamespace }}
+rules:
+  - apiGroups:
+      - ""
+      - extensions
+      - batch
+      - apps
+    verbs:
+      - get
+      - list
+    resources:
+      {{- range $k, $v := $deps -}}
+      {{ if eq $v "daemonsets" }}
+      - daemonsets
+      {{- end -}}
+      {{ if eq $v "jobs" }}
+      - jobs
+      {{- end -}}
+      {{ if or (eq $v "daemonsets") (eq $v "jobs") }}
+      - pods
+      {{- end -}}
+      {{ if eq $v "services" }}
+      - services
+      - endpoints
+      {{- end -}}
+      {{- end -}}
+{{- end -}}
--- a/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
+++ b/helm-toolkit/templates/snippets/_kubernetes_pod_rbac_serviceaccount.tpl
@ -0,0 +1,50 @@
+{{/*
+Copyright 2017 The Openstack-Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- define "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" -}}
+{{- $envAll := index . 0 -}}
+{{- $deps := index . 1 -}}
+{{- $saName := index . 2 -}}
+{{- $saNamespace := $envAll.Release.Namespace }}
+{{- $randomKey := randAlphaNum 32 }}
+{{- $allNamespace := dict $randomKey "" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ $saName }}
+  namespace: {{ $saNamespace }}
+{{- range $k, $v := $deps -}}
+{{- if eq $k "services" }}
+{{- range $serv := $v }}
+{{- $endpointMap := index $envAll.Values.endpoints $serv.service }}
+{{- $endpointNS := $endpointMap.namespace | default $saNamespace }}
+{{- if not (contains "services" ((index $allNamespace $endpointNS) | default "")) }}
+{{- $_ := set $allNamespace $endpointNS (printf "%s%s" "services," ((index $allNamespace $endpointNS) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- else if eq $k "jobs" }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "jobs," ((index $allNamespace $saNamespace) | default "")) }}
+{{- else if eq $k "daemonset" }}
+{{- $_ := set $allNamespace $saNamespace  (printf "%s%s" "daemonsets," ((index $allNamespace $saNamespace) | default "")) }}
+{{- end -}}
+{{- end -}}
+{{- $_ := unset $allNamespace $randomKey }}
+{{- range $ns, $vv := $allNamespace }}
+{{- $resourceList := (splitList "," (trimSuffix "," $vv)) }}
+{{- tuple $envAll $resourceList $saName $ns | include "helm-toolkit.snippets.kubernetes_pod_rbac_roles" }}
+{{- end -}}
+{{- end -}}
--- a/kube-dns/templates/deployment-kube-dns.yaml
+++ b/kube-dns/templates/deployment-kube-dns.yaml
@ -187,7 +187,6 @@ spec:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 6 }}
      - configMap:
          defaultMode: 420
          name: kube-dns
--- a/kube-dns/templates/job-image-repo-sync.yaml
+++ b/kube-dns/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "kube-dns-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "kube-dns" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/kube-dns/templates/rbac-entrypoint.yaml
+++ b/kube-dns/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/kube-dns/values.yaml
+++ b/kube-dns/values.yaml
@ -84,6 +84,5 @@ manifests:
  configmap_kube_dns: true
  deployment_kube_dns: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  service_kube_dns: true
  serviceaccount_kube_dns: true
--- a/nfs-provisioner/templates/clusterrolebinding.yaml
+++ b/nfs-provisioner/templates/clusterrolebinding.yaml
@ -15,13 +15,14 @@ limitations under the License.
 */}}

 {{- if .Values.manifests.clusterrolebinding }}
+{{- $serviceAccountName := "nfs-provisioner"}}
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
  name: run-nfs-provisioner
 subjects:
  - kind: ServiceAccount
-    name: nfs-provisioner
+    name: {{ $serviceAccountName }}
    namespace: {{ .Release.Namespace }}
 roleRef:
  kind: ClusterRole
--- a/nfs-provisioner/templates/deployment.yaml
+++ b/nfs-provisioner/templates/deployment.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.nfs -}}
 {{- end -}}
+
+{{- $serviceAccountName := "nfs-provisioner"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 kind: Deployment
 apiVersion: apps/v1beta1
@ -35,7 +38,7 @@ spec:
      labels:
 {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
-      serviceAccount: nfs-provisioner
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "nfs" "provisioner" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -83,7 +86,6 @@ spec:
            - name: export-volume
              mountPath: /export
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: export-volume
          {{- if eq .Values.storage.type "persistentVolumeClaim" }}
          persistentVolumeClaim:
--- a/nfs-provisioner/templates/job-image-repo-sync.yaml
+++ b/nfs-provisioner/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "nfs-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "nfs" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/nfs-provisioner/templates/rbac-entrypoint.yaml
+++ b/nfs-provisioner/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/nfs-provisioner/templates/serviceaccount.yaml
+++ b/nfs-provisioner/templates/serviceaccount.yaml
@ -1,22 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.serviceaccount }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: nfs-provisioner
-{{- end }}
--- a/nfs-provisioner/values.yaml
+++ b/nfs-provisioner/values.yaml
@ -127,8 +127,6 @@ manifests:
  clusterrolebinding: true
  deployment: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  service: true
-  serviceaccount: true
  storage_class: true
  volume_claim: true
--- a/prometheus-alertmanager/templates/clusterrolebinding.yaml
+++ b/prometheus-alertmanager/templates/clusterrolebinding.yaml
@ -15,6 +15,8 @@ limitations under the License.
 */}}

 {{- if .Values.manifests.clusterrolebinding }}
+{{- $envAll := . }}
+{{- $serviceAccountName := "alertmanager"}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@ -22,8 +24,8 @@ metadata:
  name: run-alertmanager
 subjects:
  - kind: ServiceAccount
-    name: alertmanager
-    namespace: {{ .Release.Namespace }}
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
 roleRef:
  kind: ClusterRole
  name: cluster-admin
--- a/prometheus-alertmanager/templates/job-image-repo-sync.yaml
+++ b/prometheus-alertmanager/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "alertmanager-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "alertmanager" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/prometheus-alertmanager/templates/rbac-entrypoint.yaml
+++ b/prometheus-alertmanager/templates/rbac-entrypoint.yaml
@ -1,20 +0,0 @@
-
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/prometheus-alertmanager/templates/serviceaccount.yaml
+++ b/prometheus-alertmanager/templates/serviceaccount.yaml
@ -1,22 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.serviceaccount }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: alertmanager
-{{- end }}
--- a/prometheus-alertmanager/templates/statefulset.yaml
+++ b/prometheus-alertmanager/templates/statefulset.yaml
@ -21,8 +21,12 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.alertmanager -}}
 {{- end -}}
+
 {{- $mounts_alertmanager := .Values.pod.mounts.alertmanager.alertmanager }}
 {{- $mounts_alertmanager_init := .Values.pod.mounts.alertmanager.init_container }}
+
+{{- $serviceAccountName := "alertmanager"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: StatefulSet
@ -93,7 +97,6 @@ spec:
              mountPath: /var/lib/alertmanager/data
 {{ if $mounts_alertmanager.volumeMounts }}{{ toYaml $mounts_alertmanager.volumeMounts | indent 12 }}{{ end }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: etc-alertmanager
          emptyDir: {}
        - name: alertmanager-etc
--- a/prometheus-alertmanager/values.yaml
+++ b/prometheus-alertmanager/values.yaml
@ -151,11 +151,9 @@ manifests:
  ingress: true
  job_image_repo_sync: true
  pvc: true
-  rbac_entrypoint: true
  service: true
  service_discovery: true
  service_ingress: true
-  serviceaccount: true
  statefulset: true

 conf:
--- a/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml
+++ b/prometheus-kube-state-metrics/templates/clusterrolebinding.yaml
@ -16,6 +16,7 @@ limitations under the License.

 {{- if .Values.manifests.clusterrolebinding }}
 {{- $envAll := . }}
+{{- $serviceAccountName := "kube-state-metrics"}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@ -23,8 +24,8 @@ metadata:
  name: run-kube-state-metrics
 subjects:
  - kind: ServiceAccount
-    name: kube-state-metrics
-    namespace: {{ .Release.Namespace }}
+    name: {{ $serviceAccountName }}
+    namespace: {{ $envAll.Release.Namespace }}
 roleRef:
  kind: ClusterRole
  name: kube-state-metrics-runner
--- a/prometheus-kube-state-metrics/templates/deployment.yaml
+++ b/prometheus-kube-state-metrics/templates/deployment.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.kube_state_metrics -}}
 {{- end -}}
+
+{{- $serviceAccountName := "kube-state-metrics"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@ -34,7 +37,7 @@ spec:
      labels:
 {{ tuple $envAll "kube-state-metrics" "exporter" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
-      serviceAccount: kube-state-metrics
+      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      terminationGracePeriodSeconds: {{ .Values.pod.lifecycle.termination_grace_period.kube_state_metrics.timeout | default "30" }}
@ -47,6 +50,4 @@ spec:
          ports:
            - name: metrics
              containerPort: {{ .Values.network.kube_state_metrics.port }}
-      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
--- a/prometheus-kube-state-metrics/templates/job-image-repo-sync.yaml
+++ b/prometheus-kube-state-metrics/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "kube-metrics-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "kube-metrics" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/prometheus-kube-state-metrics/templates/rbac-entrypoint.yaml
+++ b/prometheus-kube-state-metrics/templates/rbac-entrypoint.yaml
@ -1,20 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{- $envAll := . }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/prometheus-kube-state-metrics/templates/serviceaccount.yaml
+++ b/prometheus-kube-state-metrics/templates/serviceaccount.yaml
@ -1,24 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.serviceaccount }}
-{{- $envAll := . }}
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kube-state-metrics
-{{- end }}
--- a/prometheus-kube-state-metrics/values.yaml
+++ b/prometheus-kube-state-metrics/values.yaml
@ -142,7 +142,6 @@ manifests:
  clusterrolebinding: true
  deployment: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  service_kube_metrics: true
  service_controller_manager: true
  service_scheduler: true
--- a/prometheus-node-exporter/templates/clusterrolebinding.yaml
+++ b/prometheus-node-exporter/templates/clusterrolebinding.yaml
@ -16,6 +16,7 @@ limitations under the License.

 {{- if .Values.manifests.clusterrolebinding }}
 {{- $envAll := . }}
+{{- $serviceAccountName := "node-exporter"}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@ -23,7 +24,7 @@ metadata:
  name: run-node-exporter
 subjects:
  - kind: ServiceAccount
-    name: node-exporter
+    name: {{ $serviceAccountName }}
    namespace: {{ .Release.Namespace }}
 roleRef:
  kind: ClusterRole
--- a/prometheus-node-exporter/templates/daemonset.yaml
+++ b/prometheus-node-exporter/templates/daemonset.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.node_exporter -}}
 {{- end -}}
+
+{{- $serviceAccountName := "node-exporter"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
@ -35,7 +38,7 @@ spec:
 {{ tuple $envAll "node_exporter" "metrics" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
      namespace: {{ .Values.endpoints.node_metrics.namespace }}
    spec:
-      serviceAccount: node-exporter
+      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      hostNetwork: true
@ -58,7 +61,6 @@ spec:
              mountPath: /host/sys
              readOnly:  true
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: proc
          hostPath:
            path: /proc
--- a/prometheus-node-exporter/templates/job-image-repo-sync.yaml
+++ b/prometheus-node-exporter/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "node-exporter-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "node-exporter" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/prometheus-node-exporter/templates/rbac-entrypoint.yaml
+++ b/prometheus-node-exporter/templates/rbac-entrypoint.yaml
@ -1,20 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{- $envAll := . }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/prometheus-node-exporter/templates/serviceaccount.yaml
+++ b/prometheus-node-exporter/templates/serviceaccount.yaml
@ -1,24 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.serviceaccount }}
-{{- $envAll := . }}
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: node-exporter
-{{- end }}
--- a/prometheus-node-exporter/values.yaml
+++ b/prometheus-node-exporter/values.yaml
@ -131,6 +131,4 @@ manifests:
  clusterrolebinding: true
  daemonset: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  service: true
-  serviceaccount: true
--- a/prometheus/templates/clusterrolebinding.yaml
+++ b/prometheus/templates/clusterrolebinding.yaml
@ -16,6 +16,7 @@ limitations under the License.
 */}}

 {{- if .Values.manifests.clusterrolebinding }}
+{{- $serviceAccountName := "prometheus"}}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
@ -23,7 +24,7 @@ metadata:
  name: run-prometheus
 subjects:
  - kind: ServiceAccount
-    name: prometheus
+    name: {{ $serviceAccountName }}
    namespace: {{ .Release.Namespace }}
 roleRef:
  kind: ClusterRole
--- a/prometheus/templates/job-image-repo-sync.yaml
+++ b/prometheus/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "prometheus-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "prometheus" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/prometheus/templates/pod-helm-tests.yaml
+++ b/prometheus/templates/pod-helm-tests.yaml
@ -40,7 +40,6 @@ spec:
          subPath: helm-tests.sh
          readOnly: true
  volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 4 }}
    - name: prometheus-bin
      configMap:
        name: prometheus-bin
--- a/prometheus/templates/rbac-entrypoint.yaml
+++ b/prometheus/templates/rbac-entrypoint.yaml
@ -1,20 +0,0 @@
-
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/prometheus/templates/serviceaccount.yaml
+++ b/prometheus/templates/serviceaccount.yaml
@ -1,22 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.serviceaccount }}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: prometheus
-{{- end }}
--- a/prometheus/templates/statefulset.yaml
+++ b/prometheus/templates/statefulset.yaml
@ -21,8 +21,12 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.prometheus -}}
 {{- end -}}
+
 {{- $mounts_prometheus := .Values.pod.mounts.prometheus.prometheus }}
 {{- $mounts_prometheus_init := .Values.pod.mounts.prometheus.init_container }}
+
+{{- $serviceAccountName := "prometheus"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: StatefulSet
@ -40,7 +44,7 @@ spec:
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-rules-hash: {{ tuple "configmap-rules.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
-      serviceAccount: prometheus
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "prometheus" "api" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -131,7 +135,6 @@ spec:
              mountPath: /var/lib/prometheus/data
 {{ if $mounts_prometheus.volumeMounts }}{{ toYaml $mounts_prometheus.volumeMounts | indent 12 }}{{ end }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: etcprometheus
          emptyDir: {}
        - name: rulesprometheus
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
@ -176,10 +176,8 @@ manifests:
  helm_tests: true
  job_image_repo_sync: true
  pvc: true
-  rbac_entrypoint: true
  service_ingress_prometheus: true
  service: true
-  serviceaccount: true
  statefulset_prometheus: true

 conf:
--- a/redis/templates/deployment.yaml
+++ b/redis/templates/deployment.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.redis -}}
 {{- end -}}
+
+{{- $serviceAccountName := "redis"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: Deployment
@ -34,6 +37,7 @@ spec:
      labels:
 {{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "redis" "server" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -53,6 +57,4 @@ spec:
          readinessProbe:
            tcpSocket:
              port: {{ .Values.network.port }}
-      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
--- a/redis/templates/job-image-repo-sync.yaml
+++ b/redis/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "redis-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "redis" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/redis/templates/rbac-entrypoint.yaml
+++ b/redis/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/redis/values.yaml
+++ b/redis/values.yaml
@ -106,5 +106,4 @@ manifests:
  configmap_bin: true
  deployment: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  service: true
--- a/registry/templates/daemonset-registry-proxy.yaml
+++ b/registry/templates/daemonset-registry-proxy.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.registry_proxy -}}
 {{- end -}}
+
+{{- $serviceAccountName := "docker-registry-proxy"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: DaemonSet
@ -35,6 +38,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
      dnsPolicy: ClusterFirstWithHostNet
@ -57,7 +61,6 @@ spec:
            subPath: default.conf
            readOnly: true
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: registry-bin
          configMap:
            name: registry-bin
--- a/registry/templates/deployment-registry.yaml
+++ b/registry/templates/deployment-registry.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.registry -}}
 {{- end -}}
+
+{{- $serviceAccountName := "docker-registry"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: apps/v1beta1
 kind: Deployment
@ -37,6 +40,7 @@ spec:
        configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
        configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      affinity:
 {{ tuple $envAll "docker" "registry" | include "helm-toolkit.snippets.kubernetes_pod_anti_affinity" | indent 8 }}
      nodeSelector:
@ -64,7 +68,6 @@ spec:
          - name: docker-images
            mountPath: {{ .Values.conf.registry.storage.filesystem.rootdirectory }}
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: registry-bin
          configMap:
            name: registry-bin
--- a/registry/templates/job-bootstrap.yaml
+++ b/registry/templates/job-bootstrap.yaml
@ -22,6 +22,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.bootstrap -}}
 {{- end -}}
+
+{{- $serviceAccountName := "docker-bootstrap"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -33,6 +36,7 @@ spec:
      labels:
 {{ tuple $envAll "docker" "bootstrap" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -57,7 +61,6 @@ spec:
            - name: docker-socket
              mountPath: /var/run/docker.sock
      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
        - name: registry-bin
          configMap:
            name: registry-bin
--- a/registry/templates/rbac-entrypoint.yaml
+++ b/registry/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/registry/values.yaml
+++ b/registry/values.yaml
@ -179,5 +179,4 @@ manifests:
  job_bootstrap: true
  job_image_repo_sync: true
  pvc_images: true
-  rbac_entrypoint: true
  service_registry: true
--- a/tiller/templates/deployment-tiller.yaml
+++ b/tiller/templates/deployment-tiller.yaml
@ -21,6 +21,9 @@ limitations under the License.
 {{- else -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.tiller -}}
 {{- end -}}
+
+{{- $serviceAccountName := "tiller"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@ -87,9 +90,7 @@ spec:
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
-      serviceAccount: tiller
-      serviceAccountName: tiller
+      serviceAccount: {{ $serviceAccountName }}
+      serviceAccountName: {{ $serviceAccountName }}
      terminationGracePeriodSeconds: 30
-      volumes:
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
--- a/tiller/templates/job-image-repo-sync.yaml
+++ b/tiller/templates/job-image-repo-sync.yaml
@ -18,6 +18,9 @@ limitations under the License.
 {{- $envAll := . }}
 {{- if .Values.images.local_registry.active -}}
 {{- $_ := set .Values "pod_dependency" .Values.dependencies.image_repo_sync -}}
+
+{{- $serviceAccountName := "kube-dns-image-repo-sync"}}
+{{ tuple $envAll $envAll.Values.pod_dependency $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
 apiVersion: batch/v1
 kind: Job
@ -29,6 +32,7 @@ spec:
      labels:
 {{ tuple $envAll "tiller" "image-repo-sync" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
    spec:
+      serviceAccountName: {{ $serviceAccountName }}
      restartPolicy: OnFailure
      nodeSelector:
        {{ .Values.labels.node_selector_key }}: {{ .Values.labels.node_selector_value }}
@ -60,6 +64,5 @@ spec:
        - name: docker-socket
          hostPath:
            path: /var/run/docker.sock
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_secret_mount" | indent 8 }}
 {{- end }}
 {{- end }}
--- a/tiller/templates/rbac-entrypoint.yaml
+++ b/tiller/templates/rbac-entrypoint.yaml
@ -1,19 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.rbac_entrypoint }}
-{{ tuple . | include "helm-toolkit.snippets.kubernetes_entrypoint_rbac"}}
-{{- end }}
--- a/tiller/templates/serviceaccount-tiller.yaml
+++ b/tiller/templates/serviceaccount-tiller.yaml
@ -1,24 +0,0 @@
-{{/*
-Copyright 2017 The Openstack-Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-   http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/}}
-
-{{- if .Values.manifests.serviceaccount_tiller }}
-{{- $envAll := . }}
---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tiller
-{{- end }}
--- a/tiller/values.yaml
+++ b/tiller/values.yaml
@ -83,6 +83,4 @@ manifests:
  configmap_bin: true
  deployment_tiller: true
  job_image_repo_sync: true
-  rbac_entrypoint: true
  service_tiller_deploy: true
-  serviceaccount_tiller: true