diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index 56ec80d98..a06afbdce 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -56,6 +56,26 @@ dest: /etc/dnsmasq.d/01-kube-dns.conf state: link +- name: Create dnsmasq RBAC manifests + template: + src: "{{ item }}" + dest: "{{ kube_config_dir }}/{{ item }}" + with_items: + - "dnsmasq-clusterrolebinding.yml" + - "dnsmasq-serviceaccount.yml" + when: rbac_enabled + delegate_to: "{{ groups['kube-master'][0] }}" + run_once: true + +- name: Apply dnsmasq RBAC manifests + command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }}" + with_items: + - "dnsmasq-clusterrolebinding.yml" + - "dnsmasq-serviceaccount.yml" + when: rbac_enabled + delegate_to: "{{ groups['kube-master'][0] }}" + run_once: true + - name: Create dnsmasq manifests template: src: "{{item.file}}" @@ -63,7 +83,7 @@ with_items: - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment} - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc} - - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment} + - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml.j2, type: deployment} register: manifests delegate_to: "{{ groups['kube-master'][0] }}" run_once: true diff --git a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 similarity index 96% rename from roles/dnsmasq/templates/dnsmasq-autoscaler.yml rename to roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 index 85b357950..d9e7b10f3 100644 --- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml +++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 @@ -31,6 +31,9 @@ spec: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]' spec: +{% if rbac_enabled %} + serviceAccountName: dnsmasq +{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml new file mode 100644 index 000000000..817de877b --- /dev/null +++ b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml @@ -0,0 +1,14 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: dnsmasq + namespace: "{{ system_namespace }}" +subjects: + - kind: ServiceAccount + name: dnsmasq + namespace: "{{ system_namespace}}" +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index 94b15206b..838471050 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -57,7 +57,6 @@ spec: mountPath: /etc/dnsmasq.d - name: etcdnsmasqdavailable mountPath: /etc/dnsmasq.d-available - volumes: - name: etcdnsmasqd hostPath: diff --git a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml new file mode 100644 index 000000000..bce8a232f --- /dev/null +++ b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: dnsmasq + namespace: "{{ system_namespace }}" + labels: + kubernetes.io/cluster-service: "true"