Fix Cilium permissions (#5923)

* added required permissions for querying endpointslice resources * copy-pasted role permissions from cilium install manifests * bumped cilium version to v1.7.2
2020-04-11 08:47:48 +02:00 · 2020-04-11 08:47:48 +02:00 · 883194afec
commit 883194afec
parent 3a63aa6b1e
2 changed files with 82 additions and 70 deletions
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@ -80,7 +80,7 @@ cni_version: "v0.8.5"
 weave_version: 2.5.2
 pod_infra_version: 3.1
 contiv_version: 1.2.1
-cilium_version: "v1.7.1"
+cilium_version: "v1.7.2"
 kube_ovn_version: "v0.6.0"
 kube_router_version: "v0.4.0"
 multus_version: "v3.4.1"
--- a/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
+++ b/roles/network_plugin/cilium/templates/cilium-cr.yml.j2
@ -4,13 +4,6 @@ kind: ClusterRole
 metadata:
  name: cilium-operator
 rules:
 - apiGroups:
  - ""
  resources:
  # to get k8s version and status
  - componentstatuses
  verbs:
  - get
 - apiGroups:
  - ""
  resources:
@ -22,6 +15,14 @@ rules:
  - list
  - watch
  - delete
 - apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - ""
  resources:
@ -32,6 +33,8 @@ rules:
  # to perform the translation of a CNP that contains `ToGroup` to its endpoints
  - services
  - endpoints
  # to check apiserver connectivity
  - namespaces
  verbs:
  - get
  - list
@ -41,6 +44,8 @@ rules:
  resources:
  - ciliumnetworkpolicies
  - ciliumnetworkpolicies/status
  - ciliumclusterwidenetworkpolicies
  - ciliumclusterwidenetworkpolicies/status
  - ciliumendpoints
  - ciliumendpoints/status
  - ciliumnodes
@ -55,65 +60,72 @@ kind: ClusterRole
 metadata:
  name: cilium
 rules:
-  - apiGroups:
+- apiGroups:
-      - networking.k8s.io
+  - networking.k8s.io
-    resources:
+  resources:
-      - networkpolicies
+  - networkpolicies
-    verbs:
+  verbs:
-      - get
+  - get
-      - list
+  - list
-      - watch
+  - watch
-  - apiGroups:
+- apiGroups:
-      - ""
+  - discovery.k8s.io
-    resources:
+  resources:
-      - namespaces
+  - endpointslices
-      - services
+  verbs:
-      - nodes
+  - get
-      - endpoints
+  - list
-    verbs:
+  - watch
-      - get
+- apiGroups:
-      - list
+  - ""
-      - watch
+  resources:
-  - apiGroups:
+  - namespaces
-      - ""
+  - services
-    resources:
+  - nodes
-      - pods
+  - endpoints
-      - nodes
+  verbs:
-    verbs:
+  - get
-      - get
+  - list
-      - list
+  - watch
-      - watch
+- apiGroups:
-      - update
+  - ""
-  - apiGroups:
+  resources:
-      - ""
+  - pods
-    resources:
+  - nodes
-      - nodes
+  verbs:
-      - nodes/status
+  - get
-    verbs:
+  - list
-      - patch
+  - watch
-  - apiGroups:
+  - update
-      - apiextensions.k8s.io
+- apiGroups:
-    resources:
+  - ""
-      - ingresses
+  resources:
-      - customresourcedefinitions
+  - nodes
-    verbs:
+  - nodes/status
-      - create
+  verbs:
-      - get
+  - patch
-      - list
+- apiGroups:
-      - watch
+  - apiextensions.k8s.io
-      - update
+  resources:
-  - apiGroups:
+  - customresourcedefinitions
-      - cilium.io
+  verbs:
-    resources:
+  - create
-      - ciliumnetworkpolicies
+  - get
-      - ciliumnetworkpolicies/status
+  - list
-      - ciliumclusterwidenetworkpolicies
+  - watch
-      - ciliumclusterwidenetworkpolicies/status
+  - update
-      - ciliumendpoints
+- apiGroups:
-      - ciliumendpoints/status
+  - cilium.io
-      - ciliumnodes
+  resources:
-      - ciliumnodes/status
+  - ciliumnetworkpolicies
-      - ciliumidentities
+  - ciliumnetworkpolicies/status
-      - ciliumidentities/status
+  - ciliumclusterwidenetworkpolicies
-    verbs:
+  - ciliumclusterwidenetworkpolicies/status
-      - '*'
+  - ciliumendpoints
  - ciliumendpoints/status
  - ciliumnodes
  - ciliumnodes/status
  - ciliumidentities
  - ciliumidentities/status
  verbs:
  - '*'