diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index 8fbd547b4..d40d3d2f8 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -59,7 +59,6 @@ with_items: - "dnsmasq-clusterrolebinding.yml" - "dnsmasq-serviceaccount.yml" - when: rbac_enabled delegate_to: "{{ groups['kube-master'][0] }}" run_once: true @@ -68,7 +67,6 @@ with_items: - "dnsmasq-clusterrolebinding.yml" - "dnsmasq-serviceaccount.yml" - when: rbac_enabled delegate_to: "{{ groups['kube-master'][0] }}" run_once: true diff --git a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 index d871bcbf9..a6d1df934 100644 --- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 +++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 @@ -31,9 +31,7 @@ spec: scheduler.alpha.kubernetes.io/critical-pod: '' scheduler.alpha.kubernetes.io/tolerations: '[{"key":"CriticalAddonsOnly", "operator":"Exists"}]' spec: -{% if rbac_enabled %} serviceAccountName: dnsmasq -{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 3d7e141ae..312b6aca8 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -66,8 +66,3 @@ dashboard_token_ttl: 900 # SSL etcd_cert_dir: "/etc/ssl/etcd/ssl" canal_cert_dir: "/etc/canal/certs" - -rbac_resources: - - sa - - clusterrole - - clusterrolebinding diff --git a/roles/kubernetes-apps/ansible/tasks/coredns.yml b/roles/kubernetes-apps/ansible/tasks/coredns.yml index fcd6c4c6d..c52cf7ba8 100644 --- a/roles/kubernetes-apps/ansible/tasks/coredns.yml +++ b/roles/kubernetes-apps/ansible/tasks/coredns.yml @@ -16,7 +16,6 @@ when: - dns_mode in ['coredns', 'coredns_dual'] - inventory_hostname == groups['kube-master'][0] - - rbac_enabled or item.type not in rbac_resources tags: - coredns @@ -34,6 +33,5 @@ when: - dns_mode == 'coredns_dual' - inventory_hostname == groups['kube-master'][0] - - rbac_enabled or item.type not in rbac_resources tags: - coredns diff --git a/roles/kubernetes-apps/ansible/tasks/kubedns.yml b/roles/kubernetes-apps/ansible/tasks/kubedns.yml index b2199d446..e7bf8298f 100644 --- a/roles/kubernetes-apps/ansible/tasks/kubedns.yml +++ b/roles/kubernetes-apps/ansible/tasks/kubedns.yml @@ -16,7 +16,6 @@ when: - dns_mode in ['kubedns','dnsmasq_kubedns'] - inventory_hostname == groups['kube-master'][0] - - rbac_enabled or item.type not in rbac_resources tags: - dnsmasq - kubedns diff --git a/roles/kubernetes-apps/ansible/tasks/netchecker.yml b/roles/kubernetes-apps/ansible/tasks/netchecker.yml index 0a133abb5..bf0322a27 100644 --- a/roles/kubernetes-apps/ansible/tasks/netchecker.yml +++ b/roles/kubernetes-apps/ansible/tasks/netchecker.yml @@ -35,7 +35,6 @@ register: manifests when: - inventory_hostname == groups['kube-master'][0] - - rbac_enabled or item.type not in rbac_resources - name: Kubernetes Apps | Purge old Netchecker server kube: diff --git a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 index dc1f51937..27c0576a1 100644 --- a/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/coredns-deployment.yml.j2 @@ -26,9 +26,7 @@ spec: annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: -{% if rbac_enabled %} serviceAccountName: coredns -{% endif %} tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 index 73ae3a01a..11c8d37f0 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 @@ -64,6 +64,4 @@ spec: - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}} - --logtostderr=true - --v=2 -{% if rbac_enabled %} serviceAccountName: cluster-proportional-autoscaler -{% endif %} diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 index 38858a621..549d93c14 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 @@ -172,6 +172,4 @@ spec: memory: 20Mi cpu: 10m dnsPolicy: Default # Don't use cluster DNS. -{% if rbac_enabled %} serviceAccountName: kube-dns -{% endif %} diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2 index 6e2738e6f..30e3b5907 100644 --- a/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2 @@ -33,6 +33,4 @@ spec: tolerations: - effect: NoSchedule operator: Exists -{% if rbac_enabled %} serviceAccountName: netchecker-server -{% endif %} diff --git a/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml b/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml index b6055132b..888cbd189 100644 --- a/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml +++ b/roles/kubernetes-apps/efk/elasticsearch/tasks/main.yml @@ -7,7 +7,6 @@ - "efk-sa.yml" - "efk-clusterrolebinding.yml" run_once: true - when: rbac_enabled - name: "ElasticSearch | Create Serviceaccount and Clusterrolebinding (RBAC)" command: "{{ bin_dir }}/kubectl apply -f {{ kube_config_dir }}/{{ item }} -n kube-system" @@ -15,7 +14,6 @@ - "efk-sa.yml" - "efk-clusterrolebinding.yml" run_once: true - when: rbac_enabled - name: "ElasticSearch | Write ES deployment" template: diff --git a/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-deployment.yml.j2 b/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-deployment.yml.j2 index 51666c1f2..ad1adc536 100644 --- a/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-deployment.yml.j2 +++ b/roles/kubernetes-apps/efk/elasticsearch/templates/elasticsearch-deployment.yml.j2 @@ -52,9 +52,7 @@ spec: volumes: - name: es-persistent-storage emptyDir: {} -{% if rbac_enabled %} serviceAccountName: efk -{% endif %} initContainers: - image: alpine:3.6 command: ["/sbin/sysctl", "-w", "vm.max_map_count=262144"] diff --git a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 index 6405f0cc9..6e9ad30c0 100644 --- a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 +++ b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 @@ -28,9 +28,7 @@ spec: scheduler.alpha.kubernetes.io/critical-pod: '' spec: priorityClassName: system-node-critical -{% if rbac_enabled %} serviceAccountName: efk -{% endif %} containers: - name: fluentd-es image: "{{ fluentd_image_repo }}:{{ fluentd_image_tag }}" diff --git a/roles/kubernetes-apps/efk/kibana/templates/kibana-deployment.yml.j2 b/roles/kubernetes-apps/efk/kibana/templates/kibana-deployment.yml.j2 index 880482d4d..b9c875be6 100644 --- a/roles/kubernetes-apps/efk/kibana/templates/kibana-deployment.yml.j2 +++ b/roles/kubernetes-apps/efk/kibana/templates/kibana-deployment.yml.j2 @@ -46,7 +46,4 @@ spec: - containerPort: 5601 name: ui protocol: TCP -{% if rbac_enabled %} serviceAccountName: efk -{% endif %} - diff --git a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/deploy-cephfs-provisioner.yml.j2 b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/deploy-cephfs-provisioner.yml.j2 index 17c8c3d36..838137e8b 100644 --- a/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/deploy-cephfs-provisioner.yml.j2 +++ b/roles/kubernetes-apps/external_provisioner/cephfs_provisioner/templates/deploy-cephfs-provisioner.yml.j2 @@ -19,9 +19,7 @@ spec: app: cephfs-provisioner version: {{ cephfs_provisioner_image_tag }} spec: -{% if rbac_enabled %} serviceAccount: cephfs-provisioner -{% endif %} containers: - name: cephfs-provisioner image: {{ cephfs_provisioner_image_repo }}:{{ cephfs_provisioner_image_tag }} diff --git a/roles/kubernetes-apps/helm/tasks/main.yml b/roles/kubernetes-apps/helm/tasks/main.yml index 7e400d3fe..14d6ec5fe 100644 --- a/roles/kubernetes-apps/helm/tasks/main.yml +++ b/roles/kubernetes-apps/helm/tasks/main.yml @@ -13,7 +13,7 @@ - {name: tiller, file: tiller-sa.yml, type: sa} - {name: tiller, file: tiller-clusterrolebinding.yml, type: clusterrolebinding} register: manifests - when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled + when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] - name: Helm | Apply Helm Manifests (RBAC) kube: @@ -24,7 +24,7 @@ filename: "{{kube_config_dir}}/{{item.item.file}}" state: "latest" with_items: "{{ manifests.results }}" - when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] and rbac_enabled + when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] - name: Helm | Install/upgrade helm command: > diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 index 068754642..490be52fb 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ds-ingress-nginx-controller.yml.j2 @@ -21,9 +21,7 @@ spec: prometheus.io/port: '10254' prometheus.io/scrape: 'true' spec: -{% if rbac_enabled %} serviceAccountName: ingress-nginx -{% endif %} {% if ingress_nginx_host_network %} hostNetwork: true {% endif %} diff --git a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml index 0e66359cc..93d12c901 100644 --- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml @@ -8,8 +8,3 @@ calico_policy_controller_memory_requests: 64M # SSL calico_cert_dir: "/etc/calico/certs" canal_cert_dir: "/etc/canal/certs" - -rbac_resources: - - sa - - clusterrole - - clusterrolebinding diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml index 62e929f41..bc2fdf7e7 100644 --- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml @@ -26,8 +26,7 @@ - {name: calico-kube-controllers, file: calico-kube-cr.yml, type: clusterrole} - {name: calico-kube-controllers, file: calico-kube-crb.yml, type: clusterrolebinding} register: calico_kube_manifests - when: - - rbac_enabled or item.type not in rbac_resources + when: inventory_hostname == groups['kube-master'][0] and not item|skipped - name: Start of Calico kube controllers kube: diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 index d7083e3e6..5dcafbbc5 100644 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2 @@ -21,9 +21,7 @@ spec: k8s-app: calico-kube-controllers spec: hostNetwork: true -{% if rbac_enabled %} serviceAccountName: calico-kube-controllers -{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml index 553eb6753..800bbb6fc 100644 --- a/roles/network_plugin/calico/defaults/main.yml +++ b/roles/network_plugin/calico/defaults/main.yml @@ -41,11 +41,6 @@ calico_felix_prometheusprocessmetricsenabled: "true" # see https://github.com/projectcalico/felix/blob/ab8799eaea66627e5db7717e62fca61fd9c08646/python/calico/felix/config.py#L198 calico_node_ignorelooserpf: false -rbac_resources: - - sa - - clusterrole - - clusterrolebinding - # If you want to use non default IP_AUTODETECTION_METHOD for calico node set this option to one of: # * can-reach=DESTINATION # * interface=INTERFACE-REGEX diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml index 18fe597c7..7ce84cfdc 100644 --- a/roles/network_plugin/calico/tasks/main.yml +++ b/roles/network_plugin/calico/tasks/main.yml @@ -191,4 +191,3 @@ register: calico_node_manifests when: - inventory_hostname in groups['kube-master'] - - rbac_enabled or item.type not in rbac_resources diff --git a/roles/network_plugin/calico/templates/calico-node.yml.j2 b/roles/network_plugin/calico/templates/calico-node.yml.j2 index 849ea0afb..54dacba8f 100644 --- a/roles/network_plugin/calico/templates/calico-node.yml.j2 +++ b/roles/network_plugin/calico/templates/calico-node.yml.j2 @@ -22,9 +22,7 @@ spec: kubespray.etcd-cert/serial: "{{ etcd_client_cert_serial }}" spec: hostNetwork: true -{% if rbac_enabled %} serviceAccountName: calico-node -{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/network_plugin/canal/defaults/main.yml b/roles/network_plugin/canal/defaults/main.yml index bf74653c7..38696b87a 100644 --- a/roles/network_plugin/canal/defaults/main.yml +++ b/roles/network_plugin/canal/defaults/main.yml @@ -31,8 +31,3 @@ calicoctl_memory_limit: 170M calicoctl_cpu_limit: 100m calicoctl_memory_requests: 32M calicoctl_cpu_requests: 25m - -rbac_resources: - - sa - - clusterrole - - clusterrolebinding diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml index 5b1b6a9e0..aedb47070 100644 --- a/roles/network_plugin/canal/tasks/main.yml +++ b/roles/network_plugin/canal/tasks/main.yml @@ -53,7 +53,6 @@ register: canal_manifests when: - inventory_hostname in groups['kube-master'] - - rbac_enabled or item.type not in rbac_resources - name: Canal | Copy cni plugins from hyperkube command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -rf /opt/cni/bin/. /cnibindir/" diff --git a/roles/network_plugin/canal/templates/canal-node.yaml.j2 b/roles/network_plugin/canal/templates/canal-node.yaml.j2 index 8535360a1..7e3ecf8d5 100644 --- a/roles/network_plugin/canal/templates/canal-node.yaml.j2 +++ b/roles/network_plugin/canal/templates/canal-node.yaml.j2 @@ -19,9 +19,7 @@ spec: k8s-app: canal-node spec: hostNetwork: true -{% if rbac_enabled %} serviceAccountName: canal -{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/network_plugin/cilium/defaults/main.yml b/roles/network_plugin/cilium/defaults/main.yml index dea905b3b..f6a836f95 100755 --- a/roles/network_plugin/cilium/defaults/main.yml +++ b/roles/network_plugin/cilium/defaults/main.yml @@ -18,8 +18,3 @@ cilium_cpu_requests: 100m # Optional features cilium_enable_prometheus: false - -rbac_resources: - - sa - - clusterrole - - clusterrolebinding diff --git a/roles/network_plugin/cilium/tasks/main.yml b/roles/network_plugin/cilium/tasks/main.yml index 12408a00a..6c55be663 100755 --- a/roles/network_plugin/cilium/tasks/main.yml +++ b/roles/network_plugin/cilium/tasks/main.yml @@ -38,7 +38,6 @@ register: cilium_node_manifests when: - inventory_hostname in groups['kube-master'] - - rbac_enabled or item.type not in rbac_resources - name: Cilium | Set CNI directory permissions file: diff --git a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 index 1ec322916..7fff7ac0e 100755 --- a/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 +++ b/roles/network_plugin/cilium/templates/cilium-ds.yml.j2 @@ -34,9 +34,7 @@ spec: prometheus.io/port: "9090" {% endif %} spec: -{% if rbac_enabled %} serviceAccountName: cilium -{% endif %} initContainers: - name: clean-cilium-state image: docker.io/library/busybox:1.28.4 diff --git a/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2 b/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2 index 3ccaffaf8..cea0efe51 100644 --- a/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-api-proxy.yml.j2 @@ -27,9 +27,7 @@ spec: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule -{% if rbac_enabled %} serviceAccountName: contiv-netmaster -{% endif %} containers: - name: contiv-api-proxy image: {{ contiv_auth_proxy_image_repo }}:{{ contiv_auth_proxy_image_tag }} diff --git a/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2 b/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2 index d41259ec1..787fe5c27 100644 --- a/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-netmaster.yml.j2 @@ -27,9 +27,7 @@ spec: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule -{% if rbac_enabled %} serviceAccountName: contiv-netmaster -{% endif %} containers: - name: contiv-netmaster image: {{ contiv_image_repo }}:{{ contiv_image_tag }} diff --git a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 index 2a7bf71cb..b7927f51c 100644 --- a/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 +++ b/roles/network_plugin/contiv/templates/contiv-netplugin.yml.j2 @@ -26,9 +26,7 @@ spec: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule -{% if rbac_enabled %} serviceAccountName: contiv-netplugin -{% endif %} containers: # Runs netplugin container on each Kubernetes node. This # container programs network policy and routes on each diff --git a/roles/network_plugin/flannel/tasks/main.yml b/roles/network_plugin/flannel/tasks/main.yml index 29b79b11d..c0c3aee3e 100644 --- a/roles/network_plugin/flannel/tasks/main.yml +++ b/roles/network_plugin/flannel/tasks/main.yml @@ -11,4 +11,3 @@ register: flannel_node_manifests when: - inventory_hostname in groups['kube-master'] - - rbac_enabled or item.type not in rbac_resources diff --git a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 index 7ecb21ad0..b201e8e7f 100644 --- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 +++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 @@ -52,9 +52,7 @@ spec: tier: node k8s-app: flannel spec: -{% if rbac_enabled %} serviceAccountName: flannel -{% endif %} containers: - name: kube-flannel image: {{ flannel_image_repo }}:{{ flannel_image_tag }}