Remove needless RBAC on the identity controller (#9368)

The identity controller requires access to read all deployments. This isn't necessary. When these permissions were added in #3600, we incorrectly assumed that we must pass a whole Deployment resource as a _parent_ when recording events. The [EventRecorder docs] say: > 'object' is the object this event is about. Event will make a > reference--or you may also pass a reference to the object directly. We can confirm this by reviewing the source for [GetReference]: we can simply construct an ObjectReference without fetching it from the API. This change lets us drop unnecessary privileges in the identity controller. [EventRecorder docs]: https://pkg.go.dev/k8s.io/client-go/tools/record#EventRecorder [GetReference]: ab826d2728/tools/reference/ref.go (L38-L45) Signed-off-by: Oliver Gould <ver@buoyant.io>
2022-09-13 12:36:14 -07:00 · 2022-09-13 12:36:14 -07:00 · b9ecbcb521
parent ed7c4d099c
commit b9ecbcb521
19 changed files with 59 additions and 92 deletions
--- a/charts/linkerd-control-plane/templates/identity-rbac.yaml
+++ b/charts/linkerd-control-plane/templates/identity-rbac.yaml
@ -13,9 +13,8 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# TODO(ver) Restrict this to the Linkerd namespace. See
+# https://github.com/linkerd/linkerd2/issues/9367
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
--- a/cli/cmd/testdata/install_controlplane_tracing_output.golden
+++ b/cli/cmd/testdata/install_controlplane_tracing_output.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -799,7 +797,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1106,7 +1104,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1479,7 +1477,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_custom_domain.golden
+++ b/cli/cmd/testdata/install_custom_domain.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1105,7 +1103,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1477,7 +1475,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_custom_registry.golden
+++ b/cli/cmd/testdata/install_custom_registry.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1105,7 +1103,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1477,7 +1475,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_default.golden
+++ b/cli/cmd/testdata/install_default.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1105,7 +1103,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1477,7 +1475,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_default_override_dst_get_nets.golden
+++ b/cli/cmd/testdata/install_default_override_dst_get_nets.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1105,7 +1103,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1477,7 +1475,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.0.0.0/8"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_default_token.golden
+++ b/cli/cmd/testdata/install_default_token.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1096,7 +1094,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1459,7 +1457,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_ha_output.golden
+++ b/cli/cmd/testdata/install_ha_output.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
--- a/cli/cmd/testdata/install_ha_with_overrides_output.golden
+++ b/cli/cmd/testdata/install_ha_with_overrides_output.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
--- a/cli/cmd/testdata/install_heartbeat_disabled_output.golden
+++ b/cli/cmd/testdata/install_heartbeat_disabled_output.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -729,7 +727,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1036,7 +1034,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1358,7 +1356,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_helm_control_plane_output.golden
+++ b/cli/cmd/testdata/install_helm_control_plane_output.golden
@ -17,9 +17,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
--- a/cli/cmd/testdata/install_helm_control_plane_output_ha.golden
+++ b/cli/cmd/testdata/install_helm_control_plane_output_ha.golden
@ -17,9 +17,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
--- a/cli/cmd/testdata/install_helm_output_ha_labels.golden
+++ b/cli/cmd/testdata/install_helm_output_ha_labels.golden
@ -17,9 +17,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
--- a/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden
+++ b/cli/cmd/testdata/install_helm_output_ha_namespace_selector.golden
@ -17,9 +17,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
--- a/cli/cmd/testdata/install_no_init_container.golden
+++ b/cli/cmd/testdata/install_no_init_container.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1067,7 +1065,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1401,7 +1399,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_output.golden
+++ b/cli/cmd/testdata/install_output.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -788,7 +786,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "ClusterNetworks"
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
@ -1094,7 +1092,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "ClusterNetworks"
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
@ -1472,7 +1470,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "ClusterNetworks"
        - name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR
--- a/cli/cmd/testdata/install_proxy_ignores.golden
+++ b/cli/cmd/testdata/install_proxy_ignores.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1105,7 +1103,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1477,7 +1475,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/cli/cmd/testdata/install_values_file.golden
+++ b/cli/cmd/testdata/install_values_file.golden
@ -27,9 +27,7 @@ rules:
 - apiGroups: ["authentication.k8s.io"]
  resources: ["tokenreviews"]
  verbs: ["create"]
- apiGroups: ["apps"]
-  resources: ["deployments"]
-  verbs: ["get"]
+# XXX Can we use a RoleBinding to create events?
 - apiGroups: [""]
  resources: ["events"]
  verbs: ["create", "patch"]
@ -798,7 +796,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1105,7 +1103,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
@ -1477,7 +1475,7 @@ spec:
        - name: LINKERD2_PROXY_POLICY_WORKLOAD
          value: "$(_pod_ns):$(_pod_name)"
        - name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY
-          value: "all-unauthenticated"
+          value: all-unauthenticated
        - name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS
          value: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16"
        - name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT
--- a/controller/cmd/identity/main.go
+++ b/controller/cmd/identity/main.go
@ -22,8 +22,6 @@ import (
 	"github.com/linkerd/linkerd2/pkg/trace"
 	log "github.com/sirupsen/logrus"
 	corev1 "k8s.io/api/core/v1"
-	v1 "k8s.io/api/core/v1"
-	v1machinery "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/client-go/kubernetes/scheme"
 	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
@ -144,8 +142,7 @@ func Main(args []string) {
 	eventBroadcaster.StartRecordingToSink(&typedcorev1.EventSinkImpl{
 		Interface: k8sAPI.CoreV1().Events(""),
 	})
-	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, v1.EventSource{Component: componentName})
-	deployment, err := k8sAPI.AppsV1().Deployments(*controllerNS).Get(ctx, componentName, v1machinery.GetOptions{})
+	recorder := eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: componentName})

 	if err != nil {
 		log.Fatalf("Failed to construct k8s event recorder: %s", err)
@ -153,7 +150,12 @@ func Main(args []string) {

 	recordEventFunc := func(parent runtime.Object, eventType, reason, message string) {
 		if parent == nil {
-			parent = deployment
+			parent = &corev1.ObjectReference{
+				APIVersion: "apps/v1",
+				Kind:       "Deployment",
+				Namespace:  *controllerNS,
+				Name:       componentName,
+			}
 		}
 		recorder.Event(parent, eventType, reason, message)
 	}