C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Apply ClusterRoleBinding to dnsmaq when rbac_enabled (#1592)

Browse source 
* Add RBAC policies to dnsmasq

* fix merge conflict

* yamllint

* use .j2 extension for dnsmasq autoscaler
This commit is contained in:
Dann 2017-09-03 03:53:45 -04:00 committed by Matthew Mosesohn
parent 8ae77e955e
commit 702ce446df
5 changed files with 46 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
roles/dnsmasq/tasks/main.yml
View file

@ -56,6 +56,26 @@
dest: /etc/dnsmasq.d/01-kube-dns.conf dest: /etc/dnsmasq.d/01-kube-dns.conf
state: link state: link
- name: Create dnsmasq RBAC manifests
template:
src: "{{ item }}"
dest: "{{ kube_config_dir }}/{{ item }}"
with_items:
- "dnsmasq-clusterrolebinding.yml"
- "dnsmasq-serviceaccount.yml"
when: rbac_enabled
delegate_to: "{{ groups['kube-master'][0] }}"
run_once: true
- name: Apply dnsmasq RBAC manifests
command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }}"
with_items:
- "dnsmasq-clusterrolebinding.yml"
- "dnsmasq-serviceaccount.yml"
when: rbac_enabled
delegate_to: "{{ groups['kube-master'][0] }}"
run_once: true
- name: Create dnsmasq manifests - name: Create dnsmasq manifests
template: template:
src: "{{item.file}}" src: "{{item.file}}"
@ -63,7 +83,7 @@
with_items: with_items:
- {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment} - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
- {name: dnsmasq, file: dnsmasq-svc.yml, type: svc} - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
- {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment} - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml.j2, type: deployment}
register: manifests register: manifests
delegate_to: "{{ groups['kube-master'][0] }}" delegate_to: "{{ groups['kube-master'][0] }}"
run_once: true run_once: true

3
roles/dnsmasq/templates/dnsmasq-autoscaler.yml → roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2
View file

@ -31,6 +31,9 @@ spec:
scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/critical-pod: ''
scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]' scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]'
spec: spec:
{% if rbac_enabled %}
serviceAccountName: dnsmasq
{% endif %}
tolerations: tolerations:
- effect: NoSchedule - effect: NoSchedule
operator: Exists operator: Exists

14
roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml Normal file
View file

@ -0,0 +1,14 @@
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: dnsmasq
namespace: "{{ system_namespace }}"
subjects:
- kind: ServiceAccount
name: dnsmasq
namespace: "{{ system_namespace}}"
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

1
roles/dnsmasq/templates/dnsmasq-deploy.yml
View file

@ -57,7 +57,6 @@ spec:
mountPath: /etc/dnsmasq.d mountPath: /etc/dnsmasq.d
- name: etcdnsmasqdavailable - name: etcdnsmasqdavailable
mountPath: /etc/dnsmasq.d-available mountPath: /etc/dnsmasq.d-available
volumes: volumes:
- name: etcdnsmasqd - name: etcdnsmasqd
hostPath: hostPath:

8
roles/dnsmasq/templates/dnsmasq-serviceaccount.yml Normal file
View file

@ -0,0 +1,8 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dnsmasq
namespace: "{{ system_namespace }}"
labels:
kubernetes.io/cluster-service: "true"