From a035583f86bd0ecf33019a5f08b66edefe0913c2 Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Fri, 1 Sep 2017 22:14:36 +0100 Subject: [PATCH] Add rbac for calico policy controller --- .../network_plugin/canal/tasks/main.yml | 1 + .../calico/defaults/main.yml | 5 ++++ .../policy_controller/calico/tasks/main.yml | 28 ++++++++++++------- .../templates/calico-policy-controller.yml.j2 | 3 ++ .../calico/templates/calico-policy-cr.yml.j2 | 17 +++++++++++ .../calico/templates/calico-policy-crb.yml.j2 | 13 +++++++++ .../calico/templates/calico-policy-sa.yml.j2 | 8 ++++++ roles/network_plugin/canal/tasks/main.yml | 11 ++++---- .../canal/templates/canal-node.yml.j2 | 2 ++ 9 files changed, 73 insertions(+), 15 deletions(-) create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-cr.yml.j2 create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-crb.yml.j2 create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-sa.yml.j2 diff --git a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml index fe820bd11..dd8b6171d 100644 --- a/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml +++ b/roles/kubernetes-apps/network_plugin/canal/tasks/main.yml @@ -9,3 +9,4 @@ state: "{{item.changed | ternary('latest','present') }}" with_items: "{{ canal_manifests.results }}" failed_when: canal_manifests|failed and "Error from server (AlreadyExists)" not in canal_manifests.msg + when: inventory_hostname == groups['kube-master'][0] diff --git a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml index 93d12c901..0e66359cc 100644 --- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml @@ -8,3 +8,8 @@ calico_policy_controller_memory_requests: 64M # SSL calico_cert_dir: "/etc/calico/certs" canal_cert_dir: "/etc/canal/certs" + +rbac_resources: + - sa + - clusterrole + - clusterrolebinding diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml index de102f31d..4961d566b 100644 --- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml @@ -4,19 +4,27 @@ when: kube_network_plugin == 'canal' tags: [facts, canal] -- name: Write calico-policy-controller yaml +- name: Create calico-policy-controller manifests template: - src: calico-policy-controller.yml.j2 - dest: "{{kube_config_dir}}/calico-policy-controller.yml" - when: inventory_hostname == groups['kube-master'][0] - tags: canal + src: "{{item.file}}.j2" + dest: "{{kube_config_dir}}/{{item.file}}" + with_items: + - {name: calico-policy-controller, file: calico-policy-controller.yml, type: rs} + - {name: calico-policy-controller, file: calico-policy-sa.yml, type: sa} + - {name: calico-policy-controller, file: calico-policy-cr.yml, type: clusterrole} + - {name: calico-policy-controller, file: calico-policy-crb.yml, type: clusterrolebinding} + register: calico_policy_manifests + when: + - rbac_enabled or item.type not in rbac_resources - name: Start of Calico policy controller kube: - name: "calico-policy-controller" + name: "{{item.item.name}}" + namespace: "{{ system_namespace }}" kubectl: "{{bin_dir}}/kubectl" - filename: "{{kube_config_dir}}/calico-policy-controller.yml" - namespace: "{{system_namespace}}" - resource: "rs" + resource: "{{item.item.type}}" + filename: "{{kube_config_dir}}/{{item.item.file}}" + state: "{{item.changed | ternary('latest','present') }}" + with_items: "{{ calico_policy_manifests.results }}" + failed_when: calico_policy_manifests|failed and "Error from server (AlreadyExists)" not in calico_policy_manifests.msg when: inventory_hostname == groups['kube-master'][0] - tags: canal diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 index 4722cbc53..81d05c3fa 100644 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 @@ -21,6 +21,9 @@ spec: k8s-app: calico-policy spec: hostNetwork: true +{% if rbac_enabled %} + serviceAccountName: calico-policy-controller +{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-cr.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-cr.yml.j2 new file mode 100644 index 000000000..aac341ca6 --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-cr.yml.j2 @@ -0,0 +1,17 @@ +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller + namespace: {{ system_namespace }} +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + verbs: + - watch + - list diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-crb.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-crb.yml.j2 new file mode 100644 index 000000000..d5c192018 --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-crb.yml.j2 @@ -0,0 +1,13 @@ +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-policy-controller +subjects: +- kind: ServiceAccount + name: calico-policy-controller + namespace: {{ system_namespace }} diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-sa.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-sa.yml.j2 new file mode 100644 index 000000000..c6bc07fbb --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-sa.yml.j2 @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-policy-controller + namespace: {{ system_namespace }} + labels: + kubernetes.io/cluster-service: "true" diff --git a/roles/network_plugin/canal/tasks/main.yml b/roles/network_plugin/canal/tasks/main.yml index 5283b9b41..2cc1a8ffe 100644 --- a/roles/network_plugin/canal/tasks/main.yml +++ b/roles/network_plugin/canal/tasks/main.yml @@ -32,20 +32,21 @@ delegate_to: "{{groups['etcd'][0]}}" run_once: true -- name: Canal | Create canal node rbac configuration +- name: Canal | Create canal node manifests template: src: "{{item.file}}.j2" dest: "{{kube_config_dir}}/{{item.file}}" with_items: - - {name: canal-config, file: canal-config.yml, type: cm} - - {name: canal-node, file: canal-node.yml, type: ds} + - {name: canal-config, file: canal-config.yaml, type: cm} + - {name: canal-node, file: canal-node.yaml, type: ds} - {name: canal, file: canal-node-sa.yml, type: sa} - {name: calico, file: canal-cr-calico.yml, type: clusterrole} - {name: flannel, file: canal-cr-flannel.yml, type: clusterrole} - - {name: canal-calico, file: canal-cr-calico.yml, type: clusterrolebinding} - - {name: canal-flannel, file: canal-cr-flannel.yml, type: clusterrolebinding} + - {name: canal-calico, file: canal-crb-calico.yml, type: clusterrolebinding} + - {name: canal-flannel, file: canal-crb-flannel.yml, type: clusterrolebinding} register: canal_manifests when: + - inventory_hostname in groups['kube-master'] - rbac_enabled or item.type not in rbac_resources - name: Canal | Copy cni plugins from hyperkube diff --git a/roles/network_plugin/canal/templates/canal-node.yml.j2 b/roles/network_plugin/canal/templates/canal-node.yml.j2 index 16dd64118..68a8f320f 100644 --- a/roles/network_plugin/canal/templates/canal-node.yml.j2 +++ b/roles/network_plugin/canal/templates/canal-node.yml.j2 @@ -19,7 +19,9 @@ spec: k8s-app: canal-node spec: hostNetwork: true +{% if rbac_enabled %} serviceAccountName: canal +{% endif %} tolerations: - effect: NoSchedule operator: Exists