From 2cda982345405739dd56180ffe301188d44f235f Mon Sep 17 00:00:00 2001 From: jwfang <54740235@qq.com> Date: Fri, 7 Jul 2017 15:43:48 +0800 Subject: [PATCH] binding group system:nodes to clusterrole calico-role --- roles/download/tasks/main.yml | 2 +- .../policy_controller/calico/tasks/main.yml | 4 ++-- roles/network_plugin/calico/tasks/main.yml | 22 +++++++++++++++++++ .../templates/calico-node-clusterrole.yml | 12 ++++++++++ .../calico-node-clusterrolebinding.yml | 12 ++++++++++ 5 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrole.yml create mode 100644 roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 24d1b5bca..cc244619e 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -191,7 +191,7 @@ src: "{{ fname }}" dest: "{{ fname }}" mode: push - delegate_to: localhost + #delegate_to: localhost become: false register: get_task until: get_task|succeeded diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml index 02aac8988..18ac8c18c 100644 --- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml @@ -3,7 +3,7 @@ when: kube_network_plugin == 'canal' tags: [facts, canal] -- name: Lay Down calico-policy-controller Template +- name: Lay Down calico-policy-controller RBAC Template template: src: "{{item.file}}" dest: "{{kube_config_dir}}/{{item.file}}" @@ -15,7 +15,7 @@ when: inventory_hostname == groups['kube-master'][0] and rbac_enabled tags: canal -- name: Create calico-policy-controller Resources +- name: Create calico-policy-controller RBAC Resources kube: name: "{{item.item.name}}" namespace: "{{ system_namespace }}" diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml index 38d3ad5db..59ae25e17 100644 --- a/roles/network_plugin/calico/tasks/main.yml +++ b/roles/network_plugin/calico/tasks/main.yml @@ -195,6 +195,28 @@ when: secret_changed|default(false) or etcd_secret_changed|default(false) notify: restart calico-node +- name: Lay Down calico-node RBAC Template + template: + src: "{{item.file}}" + dest: "{{kube_config_dir}}/{{item.file}}" + with_items: + - {name: calico-node, file: calico-node-clusterrole.yml, type: clusterrole} + - {name: calico-node, file: calico-node-clusterrolebinding.yml, type: clusterrolebinding} + register: manifests + when: inventory_hostname == groups['kube-master'][0] and rbac_enabled + +- name: Create calico-node RBAC Resources + kube: + name: "{{item.item.name}}" + namespace: "{{ system_namespace }}" + kubectl: "{{bin_dir}}/kubectl" + resource: "{{item.item.type}}" + filename: "{{kube_config_dir}}/{{item.item.file}}" + state: "{{item.changed | ternary('latest','present') }}" + with_items: "{{ manifests.results }}" + failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg + when: inventory_hostname == groups['kube-master'][0] and rbac_enabled + - meta: flush_handlers - name: Calico | Enable calico-node diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrole.yml b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml new file mode 100644 index 000000000..b48c74735 --- /dev/null +++ b/roles/network_plugin/calico/templates/calico-node-clusterrole.yml @@ -0,0 +1,12 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-node + namespace: {{ system_namespace }} +rules: + - apiGroups: [""] + resources: + - pods + - nodes + verbs: + - get diff --git a/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml new file mode 100644 index 000000000..cdbd15685 --- /dev/null +++ b/roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: +- kind: Group + name: system:nodes + namespace: kube-system