move to specific role
This commit is contained in:
parent
eb8fc0fe83
commit
8d898778f5
17 changed files with 162 additions and 3 deletions
|
@ -78,6 +78,12 @@
|
||||||
- { role: kargo-defaults}
|
- { role: kargo-defaults}
|
||||||
- { role: network_plugin/calico/rr, tags: network }
|
- { role: network_plugin/calico/rr, tags: network }
|
||||||
|
|
||||||
|
- hosts: k8s-cluster
|
||||||
|
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||||
|
roles:
|
||||||
|
- { role: kargo-defaults}
|
||||||
|
- { role: rbac, tags: rbac }
|
||||||
|
|
||||||
- hosts: k8s-cluster
|
- hosts: k8s-cluster
|
||||||
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
any_errors_fatal: "{{ any_errors_fatal | default(true) }}"
|
||||||
roles:
|
roles:
|
||||||
|
|
|
@ -63,9 +63,6 @@
|
||||||
with_items:
|
with_items:
|
||||||
- {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
|
- {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
|
||||||
- {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
|
- {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
|
||||||
- {name: cluster-proportional-autoscaler, file: dnsmasq-serviceaccount.yml, type: serviceaccount}
|
|
||||||
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrole.yml, type: clusterrole}
|
|
||||||
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrolebinding.yml, type: clusterrolebinding}
|
|
||||||
- {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment}
|
- {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment}
|
||||||
register: manifests
|
register: manifests
|
||||||
delegate_to: "{{ groups['kube-master'][0] }}"
|
delegate_to: "{{ groups['kube-master'][0] }}"
|
||||||
|
|
|
@ -40,6 +40,7 @@ spec:
|
||||||
mountPath: /var/lib/docker/containers
|
mountPath: /var/lib/docker/containers
|
||||||
readOnly: true
|
readOnly: true
|
||||||
terminationGracePeriodSeconds: 30
|
terminationGracePeriodSeconds: 30
|
||||||
|
serviceAccountName: fluentd
|
||||||
volumes:
|
volumes:
|
||||||
- name: varlog
|
- name: varlog
|
||||||
hostPath:
|
hostPath:
|
||||||
|
|
34
roles/rbac/tasks/main.yml
Normal file
34
roles/rbac/tasks/main.yml
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
- name: Create RBAC manifests
|
||||||
|
template:
|
||||||
|
src: "{{item.file}}"
|
||||||
|
dest: "{{kube_config_dir}}/{{item.file}}"
|
||||||
|
with_items:
|
||||||
|
- {name: calico-cni-plugin, file: calico-cni-plugin-serviceaccount.yml, type: serviceaccount}
|
||||||
|
- {name: calico-cni-plugin, file: calico-cni-plugin-clusterrole.yml, type: clusterrole}
|
||||||
|
- {name: calico-cni-plugin, file: calico-cni-plugin-clusterrolebinding.yml, type: clusterrolebinding}
|
||||||
|
- {name: calico-policy-controller, file: calico-policy-controller-serviceaccount.yml, type: serviceaccount}
|
||||||
|
- {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole}
|
||||||
|
- {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding}
|
||||||
|
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-serviceaccount.yml, type: serviceaccount}
|
||||||
|
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrole.yml, type: clusterrole}
|
||||||
|
- {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrolebinding.yml, type: clusterrolebinding}
|
||||||
|
- {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrole.yml', type: clusterrole}
|
||||||
|
- {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrolebinding.yml', type: clusterrolebinding}
|
||||||
|
- {name: fluentd, file: fluentd-clusterrole.yml, type: clusterrole}
|
||||||
|
- {name: fluentd, file: fluentd-clusterrolebinding.yml, type: clusterrolebinding}
|
||||||
|
register: manifests
|
||||||
|
when: inventory_hostname == groups['kube-master'][0]
|
||||||
|
|
||||||
|
- name: Start Resources
|
||||||
|
kube:
|
||||||
|
name: "{{item.item.name}}"
|
||||||
|
namespace: "{{system_namespace}}"
|
||||||
|
kubectl: "{{bin_dir}}/kubectl"
|
||||||
|
resource: "{{item.item.type}}"
|
||||||
|
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||||
|
state: "{{item.changed | ternary('latest','present') }}"
|
||||||
|
with_items: "{{ manifests.results }}"
|
||||||
|
when: inventory_hostname == groups['kube-master'][0]
|
||||||
|
|
||||||
|
|
13
roles/rbac/templates/calico-cni-plugin-clusterrole.yml
Normal file
13
roles/rbac/templates/calico-cni-plugin-clusterrole.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: calico-cni-plugin
|
||||||
|
namespace: kube-system
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- nodes
|
||||||
|
verbs:
|
||||||
|
- get
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: calico-cni-plugin
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: calico-cni-plugin
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: calico-cni-plugin
|
||||||
|
namespace: kube-system
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: calico-cni-plugin
|
||||||
|
namespace: kube-system
|
|
@ -0,0 +1,17 @@
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
metadata:
|
||||||
|
name: calico-policy-controller
|
||||||
|
namespace: kube-system
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
- extensions
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- namespaces
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- list
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: calico-policy-controller
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: calico-policy-controller
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: calico-policy-controller
|
||||||
|
namespace: kube-system
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: calico-policy-controller
|
||||||
|
namespace: kube-system
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
metadata:
|
metadata:
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
|
@ -1,3 +1,4 @@
|
||||||
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
15
roles/rbac/templates/custom:system:kube-dns-clusterrole.yml
Normal file
15
roles/rbac/templates/custom:system:kube-dns-clusterrole.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: custom:system:kube-dns
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- endpoints
|
||||||
|
- services
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- list
|
||||||
|
- watch
|
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: custom:system:kube-dns
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: custom:system:kube-dns
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: kube-dns
|
||||||
|
namespace: kube-system
|
9
roles/rbac/templates/fluentd-clusterrole.yml
Normal file
9
roles/rbac/templates/fluentd-clusterrole.yml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRole
|
||||||
|
metadata:
|
||||||
|
name: fluentd
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["pods"]
|
||||||
|
verbs: ["get"]
|
13
roles/rbac/templates/fluentd-clusterrolebinding.yml
Normal file
13
roles/rbac/templates/fluentd-clusterrolebinding.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: fluentd
|
||||||
|
roleRef:
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
kind: ClusterRole
|
||||||
|
name: fluentd
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: fluentd
|
||||||
|
namespace: kube-system
|
Loading…
Reference in a new issue