patch system:kube-dns clusterrole for get

2017-06-17 19:53:29 +08:00 · 2017-06-17 19:53:29 +08:00 · 525db1f109
commit 525db1f109
parent 442ebce3d8
1 changed files with 17 additions and 0 deletions
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@ -24,6 +24,23 @@
  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and (item.type not in rbac_resources or rbac_enabled)
  tags: dnsmasq

+# see https://github.com/kubernetes/kubernetes/issues/45084
+# TODO: this is only needed for "old" kube-dns
+- name: Kubernetes Apps | Patch system:kube-dns ClusterRole
+  command: >
+    {{bin_dir}}/kubectl patch clusterrole system:kube-dns
+    --patch='{
+               "rules": [
+                 {
+                   "apiGroups" : [""],
+                   "resources" : ["endpoints", "services"],
+                   "verbs": ["list", "watch", "get"]
+                 }
+               ]
+             }'
+  when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0]
+  tags: dnsmasq
+
 - name: Kubernetes Apps | Start Resources
  kube:
    name: "{{item.item.name}}"