PSP RoleBinding roleRef is incorrect

[gabegorelick]

#435 updated aws-node-termination-handler-psp from a ClusterRole to a Role, but the corresponding RoleBinding wasn't updated:

aws-node-termination-handler/config/helm/aws-node-termination-handler/templates/psp.yaml

Lines 35 to 59 in e617cc3

	kind: Role
	apiVersion: rbac.authorization.k8s.io/v1
	metadata:
	name: {{ template "aws-node-termination-handler.fullname" . }}-psp
	namespace: {{ .Release.Namespace }}
	labels:
	{{ include "aws-node-termination-handler.labels" . | indent 4 }}
	rules:
	- apiGroups: ['policy']
	resources: ['podsecuritypolicies']
	verbs: ['use']
	resourceNames:
	- {{ template "aws-node-termination-handler.fullname" . }}
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: {{ template "aws-node-termination-handler.fullname" . }}-psp
	namespace: {{ .Release.Namespace }}
	labels:
	{{ include "aws-node-termination-handler.labels" . | indent 4 }}
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole
	name: {{ template "aws-node-termination-handler.fullname" . }}-psp

That roleRef probably shouldn't refer to a ClusterRole.

[bwagner5]

Whoops! You are right!

[haugenj]

reopening until the release

[jgournet]

Might be too early to complain about this, but when upgrading via helm, I'm getting this error:

Error: cannot patch "aws-node-termination-handler-psp" with kind RoleBinding: RoleBinding.rbac.authorization.k8s.io "aws-node-termination-handler-psp" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"Role", Name:"aws-node-termination-handler-psp"}: cannot change roleRef

Am I doing something wrong ?

ps: I'm upgrading from:
appVersion: 1.13.0
to
appVersion: 1.13.1

[bwagner5]

The upgrade may not work properly because we changed it from a cluster role to a role. I'm guessing helm doesn't know how to deal with that... You may have to do an uninstall and reinstall. Not optimal, but that should work.