From a807771d6337cbd342ab1cba6f91cae8f12fd42a Mon Sep 17 00:00:00 2001 From: Boris Zanetti Date: Thu, 20 Apr 2017 20:36:54 +0200 Subject: [PATCH] corrext idempotency issue with kubedns RBAC --- roles/rbac/tasks/main.yml | 4 ---- .../custom:system:kube-dns-clusterrole.yml | 8 ++++++- roles/rbac/templates/kubedns-clusterrole.yml | 21 ------------------- .../templates/kubedns-clusterrolebinding.yml | 13 ------------ 4 files changed, 7 insertions(+), 39 deletions(-) delete mode 100644 roles/rbac/templates/kubedns-clusterrole.yml delete mode 100644 roles/rbac/templates/kubedns-clusterrolebinding.yml diff --git a/roles/rbac/tasks/main.yml b/roles/rbac/tasks/main.yml index 08b372447..2975bcce6 100644 --- a/roles/rbac/tasks/main.yml +++ b/roles/rbac/tasks/main.yml @@ -14,8 +14,6 @@ - {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrole.yml, type: clusterrole} - {name: cluster-proportional-autoscaler, file: cluster-proportional-autoscaler-clusterrolebinding.yml, type: clusterrolebinding} - {name: kubedns, file: kubedns-serviceaccount.yml, type: serviceaccount} - - {name: kubedns, file: kubedns-clusterrole.yml, type: clusterrole} - - {name: kubedns, file: kubedns-clusterrolebinding.yml, type: clusterrolebinding} - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrole.yml', type: clusterrole} - {name: 'custom:system:kube-dns', file: 'custom:system:kube-dns-clusterrolebinding.yml', type: clusterrolebinding} - {name: 'custom:system:node', file: 'custom:system:node-clusterrole.yml', type: clusterrole} @@ -34,5 +32,3 @@ state: "{{item.changed | ternary('latest','present') }}" with_items: "{{ manifests.results }}" when: inventory_hostname == groups['kube-master'][0] - - diff --git a/roles/rbac/templates/custom:system:kube-dns-clusterrole.yml b/roles/rbac/templates/custom:system:kube-dns-clusterrole.yml index 9074953da..63daf766d 100644 --- a/roles/rbac/templates/custom:system:kube-dns-clusterrole.yml +++ b/roles/rbac/templates/custom:system:kube-dns-clusterrole.yml @@ -1,4 +1,3 @@ ---- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: @@ -8,6 +7,13 @@ rules: - "" resources: - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: - services verbs: - get diff --git a/roles/rbac/templates/kubedns-clusterrole.yml b/roles/rbac/templates/kubedns-clusterrole.yml deleted file mode 100644 index 63daf766d..000000000 --- a/roles/rbac/templates/kubedns-clusterrole.yml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: custom:system:kube-dns -rules: -- apiGroups: - - "" - resources: - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch diff --git a/roles/rbac/templates/kubedns-clusterrolebinding.yml b/roles/rbac/templates/kubedns-clusterrolebinding.yml deleted file mode 100644 index bfc09fbc9..000000000 --- a/roles/rbac/templates/kubedns-clusterrolebinding.yml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: custom:system:kube-dns -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: custom:system:kube-dns -subjects: -- kind: ServiceAccount - name: kube-dns - namespace: kube-system -