move to specific role
This commit is contained in:
Boris Zanetti
nhaveric
parent
eb8fc0fe83
commit
8d898778f5
17 changed files with 162 additions and 3 deletions
|
|
@ -78,6 +78,12 @@
|
|||
- { role: kargo-defaults}
|
||||
- { role: network_plugin/calico/rr, tags: network }
|
||||
|
||||
- hosts: k8s-cluster
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
- { role: kargo-defaults}
|
||||
- { role: rbac, tags: rbac }
|
||||
|
||||
- hosts: k8s-cluster
|
||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||
roles:
|
||||
|
|
|
|||
|
|
@ -63,9 +63,6 @@
|
|||
with_items:
|
||||
- {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
|
||||
- {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
|
||||
- {name: cluster-proportional-autoscaler, file: dnsmasq-serviceaccount.yml, type: serviceaccount}
|
||||
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrole.yml, type: clusterrole}
|
||||
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
- {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment}
|
||||
register: manifests
|
||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||
|
|
|
|||
|
|
@ -40,6 +40,7 @@ spec:
|
|||
mountPath: /var/lib/docker/containers
|
||||
readOnly: true
|
||||
terminationGracePeriodSeconds: 30
|
||||
serviceAccountName: fluentd
|
||||
volumes:
|
||||
- name: varlog
|
||||
hostPath:
|
||||
|
|
|
|||
34
roles/rbac/tasks/main.yml
Normal file
34
roles/rbac/tasks/main.yml
Normal file
|
|
@ -0,0 +1,34 @@
|
|||
---
|
||||
- name: Create RBAC manifests
|
||||
template:
|
||||
src: "{{item.file}}"
|
||||
dest: "{{kube_config_dir}}/{{item.file}}"
|
||||
with_items:
|
||||
- {name: calico-cni-plugin, file: calico-cni-plugin-serviceaccount.yml, type: serviceaccount}
|
||||
- {name: calico-cni-plugin, file: calico-cni-plugin-clusterrole.yml, type: clusterrole}
|
||||
- {name: calico-cni-plugin, file: calico-cni-plugin-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
- {name: calico-policy-controller, file: calico-policy-controller-serviceaccount.yml, type: serviceaccount}
|
||||
- {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole}
|
||||
- {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-serviceaccount.yml, type: serviceaccount}
|
||||
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrole.yml, type: clusterrole}
|
||||
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
- {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrole.yml', type: clusterrole}
|
||||
- {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrolebinding.yml', type: clusterrolebinding}
|
||||
- {name: fluentd, file: fluentd-clusterrole.yml, type: clusterrole}
|
||||
- {name: fluentd, file: fluentd-clusterrolebinding.yml, type: clusterrolebinding}
|
||||
register: manifests
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
- name: Start Resources
|
||||
kube:
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{system_namespace}}"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
state: "{{item.changed | ternary('latest','present') }}"
|
||||
with_items: "{{ manifests.results }}"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
|
||||
13
roles/rbac/templates/calico-cni-plugin-clusterrole.yml
Normal file
13
roles/rbac/templates/calico-cni-plugin-clusterrole.yml
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-cni-plugin
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs:
|
||||
- get
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: calico-cni-plugin
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: calico-cni-plugin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: calico-cni-plugin
|
||||
namespace: kube-system
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: calico-cni-plugin
|
||||
namespace: kube-system
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
namespace: kube-system
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- extensions
|
||||
resources:
|
||||
- pods
|
||||
- namespaces
|
||||
- networkpolicies
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: calico-policy-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: calico-policy-controller
|
||||
namespace: kube-system
|
||||
|
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
namespace: kube-system
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
|
|
@ -1,3 +1,4 @@
|
|||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
15
roles/rbac/templates/custom:system:kube-dns-clusterrole.yml
Normal file
15
roles/rbac/templates/custom:system:kube-dns-clusterrole.yml
Normal file
|
|
@ -0,0 +1,15 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: custom:system:kube-dns
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
resources:
|
||||
- endpoints
|
||||
- services
|
||||
verbs:
|
||||
- get
|
||||
- list
|
||||
- watch
|
||||
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: custom:system:kube-dns
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: custom:system:kube-dns
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: kube-dns
|
||||
namespace: kube-system
|
||||
9
roles/rbac/templates/fluentd-clusterrole.yml
Normal file
9
roles/rbac/templates/fluentd-clusterrole.yml
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: fluentd
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get"]
|
||||
13
roles/rbac/templates/fluentd-clusterrolebinding.yml
Normal file
13
roles/rbac/templates/fluentd-clusterrolebinding.yml
Normal file
|
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: fluentd
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: fluentd
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: fluentd
|
||||
namespace: kube-system
|
||||
Loading…
Reference in a new issue