diff --git a/cluster.yml b/cluster.yml index 75296646a..2d992614a 100644 --- a/cluster.yml +++ b/cluster.yml @@ -78,6 +78,12 @@ - { role: kargo-defaults} - { role: network_plugin/calico/rr, tags: network } +- hosts: k8s-cluster + any_errors_fatal: "{{ any_errors_fatal | default(true) }}" + roles: + - { role: kargo-defaults} + - { role: rbac, tags: rbac } + - hosts: k8s-cluster any_errors_fatal: "{{ any_errors_fatal | default(true) }}" roles: diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index 3e59cc81e..edc50703d 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -63,9 +63,6 @@ with_items: - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment} - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc} - - {name: cluster-proportional-autoscaler, file: dnsmasq-serviceaccount.yml, type: serviceaccount} - - {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrole.yml, type: clusterrole} - - {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrolebinding.yml, type: clusterrolebinding} - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment} register: manifests delegate_to: "{{ groups['kube-master'][0] }}" diff --git a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 index d15b10b43..f220baaea 100644 --- a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 +++ b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 @@ -40,6 +40,7 @@ spec: mountPath: /var/lib/docker/containers readOnly: true terminationGracePeriodSeconds: 30 + serviceAccountName: fluentd volumes: - name: varlog hostPath: diff --git a/roles/rbac/tasks/main.yml b/roles/rbac/tasks/main.yml new file mode 100644 index 000000000..2e5965b60 --- /dev/null +++ b/roles/rbac/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: Create RBAC manifests + template: + src: "{{item.file}}" + dest: "{{kube_config_dir}}/{{item.file}}" + with_items: + - {name: calico-cni-plugin, file: calico-cni-plugin-serviceaccount.yml, type: serviceaccount} + - {name: calico-cni-plugin, file: calico-cni-plugin-clusterrole.yml, type: clusterrole} + - {name: calico-cni-plugin, file: calico-cni-plugin-clusterrolebinding.yml, type: clusterrolebinding} + - {name: calico-policy-controller, file: calico-policy-controller-serviceaccount.yml, type: serviceaccount} + - {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole} + - {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding} + - {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-serviceaccount.yml, type: serviceaccount} + - {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrole.yml, type: clusterrole} + - {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrolebinding.yml, type: clusterrolebinding} + - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrole.yml', type: clusterrole} + - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrolebinding.yml', type: clusterrolebinding} + - {name: fluentd, file: fluentd-clusterrole.yml, type: clusterrole} + - {name: fluentd, file: fluentd-clusterrolebinding.yml, type: clusterrolebinding} + register: manifests + when: inventory_hostname == groups['kube-master'][0] + +- name: Start Resources + kube: + name: "{{item.item.name}}" + namespace: "{{system_namespace}}" + kubectl: "{{bin_dir}}/kubectl" + resource: "{{item.item.type}}" + filename: "{{kube_config_dir}}/{{item.item.file}}" + state: "{{item.changed | ternary('latest','present') }}" + with_items: "{{ manifests.results }}" + when: inventory_hostname == groups['kube-master'][0] + + diff --git a/roles/rbac/templates/calico-cni-plugin-clusterrole.yml b/roles/rbac/templates/calico-cni-plugin-clusterrole.yml new file mode 100644 index 000000000..cc20667ed --- /dev/null +++ b/roles/rbac/templates/calico-cni-plugin-clusterrole.yml @@ -0,0 +1,13 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-cni-plugin + namespace: kube-system +rules: + - apiGroups: [""] + resources: + - pods + - nodes + verbs: + - get diff --git a/roles/rbac/templates/calico-cni-plugin-clusterrolebinding.yml b/roles/rbac/templates/calico-cni-plugin-clusterrolebinding.yml new file mode 100644 index 000000000..77a24b013 --- /dev/null +++ b/roles/rbac/templates/calico-cni-plugin-clusterrolebinding.yml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-cni-plugin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-cni-plugin +subjects: +- kind: ServiceAccount + name: calico-cni-plugin + namespace: kube-system diff --git a/roles/rbac/templates/calico-cni-plugin-serviceaccount.yml b/roles/rbac/templates/calico-cni-plugin-serviceaccount.yml new file mode 100644 index 000000000..0b71f847d --- /dev/null +++ b/roles/rbac/templates/calico-cni-plugin-serviceaccount.yml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-cni-plugin + namespace: kube-system diff --git a/roles/rbac/templates/calico-policy-controller-clusterrole.yml b/roles/rbac/templates/calico-policy-controller-clusterrole.yml new file mode 100644 index 000000000..dfc7faf53 --- /dev/null +++ b/roles/rbac/templates/calico-policy-controller-clusterrole.yml @@ -0,0 +1,17 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller + namespace: kube-system +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + verbs: + - watch + - list diff --git a/roles/rbac/templates/calico-policy-controller-clusterrolebinding.yml b/roles/rbac/templates/calico-policy-controller-clusterrolebinding.yml new file mode 100644 index 000000000..4a3ebc3e8 --- /dev/null +++ b/roles/rbac/templates/calico-policy-controller-clusterrolebinding.yml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: calico-policy-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-policy-controller +subjects: +- kind: ServiceAccount + name: calico-policy-controller + namespace: kube-system diff --git a/roles/rbac/templates/calico-policy-controller-serviceaccount.yml b/roles/rbac/templates/calico-policy-controller-serviceaccount.yml new file mode 100644 index 000000000..6f7ab0a47 --- /dev/null +++ b/roles/rbac/templates/calico-policy-controller-serviceaccount.yml @@ -0,0 +1,6 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-policy-controller + namespace: kube-system diff --git a/roles/dnsmasq/templates/dnsmasq-clusterrole.yml b/roles/rbac/templates/cluster-proportional-autoscaler-clusterrole.yml similarity index 99% rename from roles/dnsmasq/templates/dnsmasq-clusterrole.yml rename to roles/rbac/templates/cluster-proportional-autoscaler-clusterrole.yml index a50b975e4..d4d2b1271 100644 --- a/roles/dnsmasq/templates/dnsmasq-clusterrole.yml +++ b/roles/rbac/templates/cluster-proportional-autoscaler-clusterrole.yml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: diff --git a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml b/roles/rbac/templates/cluster-proportional-autoscaler-clusterrolebinding.yml similarity index 98% rename from roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml rename to roles/rbac/templates/cluster-proportional-autoscaler-clusterrolebinding.yml index d91d0d9eb..53c69fc21 100644 --- a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml +++ b/roles/rbac/templates/cluster-proportional-autoscaler-clusterrolebinding.yml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: diff --git a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml b/roles/rbac/templates/cluster-proportional-autoscaler-serviceaccount.yml similarity index 96% rename from roles/dnsmasq/templates/dnsmasq-serviceaccount.yml rename to roles/rbac/templates/cluster-proportional-autoscaler-serviceaccount.yml index 7b30a2b9e..933782ef6 100644 --- a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml +++ b/roles/rbac/templates/cluster-proportional-autoscaler-serviceaccount.yml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: diff --git a/roles/rbac/templates/custom:system:kube-dns-clusterrole.yml b/roles/rbac/templates/custom:system:kube-dns-clusterrole.yml new file mode 100644 index 000000000..9074953da --- /dev/null +++ b/roles/rbac/templates/custom:system:kube-dns-clusterrole.yml @@ -0,0 +1,15 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: custom:system:kube-dns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + verbs: + - get + - list + - watch diff --git a/roles/rbac/templates/custom:system:kube-dns-clusterrolebinding.yml b/roles/rbac/templates/custom:system:kube-dns-clusterrolebinding.yml new file mode 100644 index 000000000..0b31f34fc --- /dev/null +++ b/roles/rbac/templates/custom:system:kube-dns-clusterrolebinding.yml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: custom:system:kube-dns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom:system:kube-dns +subjects: +- kind: ServiceAccount + name: kube-dns + namespace: kube-system diff --git a/roles/rbac/templates/fluentd-clusterrole.yml b/roles/rbac/templates/fluentd-clusterrole.yml new file mode 100644 index 000000000..930ae4fa6 --- /dev/null +++ b/roles/rbac/templates/fluentd-clusterrole.yml @@ -0,0 +1,9 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: fluentd +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get"] diff --git a/roles/rbac/templates/fluentd-clusterrolebinding.yml b/roles/rbac/templates/fluentd-clusterrolebinding.yml new file mode 100644 index 000000000..0a66648c3 --- /dev/null +++ b/roles/rbac/templates/fluentd-clusterrolebinding.yml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: fluentd +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fluentd +subjects: +- kind: ServiceAccount + name: fluentd + namespace: kube-system