move to specific role

This commit is contained in:
Boris Zanetti 2017-04-15 12:04:00 +02:00 committed by nhaveric
parent eb8fc0fe83
commit 8d898778f5
17 changed files with 162 additions and 3 deletions

View file

@ -78,6 +78,12 @@
- { role: kargo-defaults} - { role: kargo-defaults}
- { role: network_plugin/calico/rr, tags: network } - { role: network_plugin/calico/rr, tags: network }
- hosts: k8s-cluster
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
roles:
- { role: kargo-defaults}
- { role: rbac, tags: rbac }
- hosts: k8s-cluster - hosts: k8s-cluster
any_errors_fatal: "{{ any_errors_fatal | default(true) }}" any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
roles: roles:

View file

@ -63,9 +63,6 @@
with_items: with_items:
- {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment} - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
- {name: dnsmasq, file: dnsmasq-svc.yml, type: svc} - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
- {name: cluster-proportional-autoscaler, file: dnsmasq-serviceaccount.yml, type: serviceaccount}
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrole.yml, type: clusterrole}
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrolebinding.yml, type: clusterrolebinding}
- {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment} - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment}
register: manifests register: manifests
delegate_to: "{{ groups['kube-master'][0] }}" delegate_to: "{{ groups['kube-master'][0] }}"

View file

@ -40,6 +40,7 @@ spec:
mountPath: /var/lib/docker/containers mountPath: /var/lib/docker/containers
readOnly: true readOnly: true
terminationGracePeriodSeconds: 30 terminationGracePeriodSeconds: 30
serviceAccountName: fluentd
volumes: volumes:
- name: varlog - name: varlog
hostPath: hostPath:

34
roles/rbac/tasks/main.yml Normal file
View file

@ -0,0 +1,34 @@
---
- name: Create RBAC manifests
template:
src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}"
with_items:
- {name: calico-cni-plugin, file: calico-cni-plugin-serviceaccount.yml, type: serviceaccount}
- {name: calico-cni-plugin, file: calico-cni-plugin-clusterrole.yml, type: clusterrole}
- {name: calico-cni-plugin, file: calico-cni-plugin-clusterrolebinding.yml, type: clusterrolebinding}
- {name: calico-policy-controller, file: calico-policy-controller-serviceaccount.yml, type: serviceaccount}
- {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole}
- {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding}
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-serviceaccount.yml, type: serviceaccount}
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrole.yml, type: clusterrole}
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
- {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrole.yml', type: clusterrole}
- {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrolebinding.yml', type: clusterrolebinding}
- {name: fluentd, file: fluentd-clusterrole.yml, type: clusterrole}
- {name: fluentd, file: fluentd-clusterrolebinding.yml, type: clusterrolebinding}
register: manifests
when: inventory_hostname == groups['kube-master'][0]
- name: Start Resources
kube:
name: "{{item.item.name}}"
namespace: "{{system_namespace}}"
kubectl: "{{bin_dir}}/kubectl"
resource: "{{item.item.type}}"
filename: "{{kube_config_dir}}/{{item.item.file}}"
state: "{{item.changed | ternary('latest','present') }}"
with_items: "{{ manifests.results }}"
when: inventory_hostname == groups['kube-master'][0]

View file

@ -0,0 +1,13 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-cni-plugin
namespace: kube-system
rules:
- apiGroups: [""]
resources:
- pods
- nodes
verbs:
- get

View file

@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-cni-plugin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-cni-plugin
subjects:
- kind: ServiceAccount
name: calico-cni-plugin
namespace: kube-system

View file

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-cni-plugin
namespace: kube-system

View file

@ -0,0 +1,17 @@
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: calico-policy-controller
namespace: kube-system
rules:
- apiGroups:
- ""
- extensions
resources:
- pods
- namespaces
- networkpolicies
verbs:
- watch
- list

View file

@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-policy-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-policy-controller
subjects:
- kind: ServiceAccount
name: calico-policy-controller
namespace: kube-system

View file

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: calico-policy-controller
namespace: kube-system

View file

@ -1,3 +1,4 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
metadata: metadata:

View file

@ -1,3 +1,4 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1 apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:

View file

@ -1,3 +1,4 @@
---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:

View file

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: custom:system:kube-dns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- get
- list
- watch

View file

@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: custom:system:kube-dns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: custom:system:kube-dns
subjects:
- kind: ServiceAccount
name: kube-dns
namespace: kube-system

View file

@ -0,0 +1,9 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: fluentd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get"]

View file

@ -0,0 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: fluentd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: fluentd
subjects:
- kind: ServiceAccount
name: fluentd
namespace: kube-system