first try of root RBAC

2017-04-13 19:18:07 +02:00 · 2017-04-13 19:18:07 +02:00 · eb8fc0fe83
commit eb8fc0fe83
parent fec5bfde1f
12 changed files with 101 additions and 0 deletions
--- a/roles/dnsmasq/tasks/main.yml
+++ b/roles/dnsmasq/tasks/main.yml
@ -63,6 +63,9 @@
  with_items:
    - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
    - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
+    - {name: cluster-proportional-autoscaler, file: dnsmasq-serviceaccount.yml, type: serviceaccount}
+    - {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrole.yml, type: clusterrole}
+    - {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrolebinding.yml, type: clusterrolebinding}
    - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment}
  register: manifests
  delegate_to: "{{ groups['kube-master'][0] }}"
--- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml
+++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml
@ -47,4 +47,5 @@ spec:
          - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}}
          - --logtostderr=true
          - --v={{ kube_log_level }}
+      serviceAccountName: cluster-proportional-autoscaler

--- a/roles/dnsmasq/templates/dnsmasq-clusterrole.yml
+++ b/roles/dnsmasq/templates/dnsmasq-clusterrole.yml
@ -0,0 +1,34 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: cluster-proportional-autoscaler
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - replicationcontrollers/scale
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - extensions
+  resources:
+  - deployments/scale
+  - replicationcontrollers/scale
+  - replicasets/scale
+  verbs:
+  - get
+  - update
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - create
--- a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
+++ b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml
@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-proportional-autoscaler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-proportional-autoscaler
+subjects:
+- kind: ServiceAccount
+  name: cluster-proportional-autoscaler
+  namespace: kube-system
+
--- a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
+++ b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cluster-proportional-autoscaler
+  namespace: kube-system
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@ -13,6 +13,9 @@
    src: "{{item.file}}"
    dest: "{{kube_config_dir}}/{{item.file}}"
  with_items:
+    - {name: kubedns, file: kubedns-serviceaccount.yml, type: serviceaccount}
+    - {name: kubedns, file: kubedns-clusterrole.yml, type: clusterrole}
+    - {name: kubedns, file: kubedns-clusterrolebinding.yml, type: clusterrolebinding}
    - {name: kubedns, file: kubedns-deploy.yml, type: deployment}
    - {name: kubedns, file: kubedns-svc.yml, type: svc}
    - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}
--- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml
@ -46,4 +46,5 @@ spec:
          - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}}
          - --logtostderr=true
          - --v=2
+      serviceAccountName: cluster-proportional-autoscaler

--- a/roles/kubernetes-apps/ansible/templates/kubedns-clusterrole.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-clusterrole.yml
@ -0,0 +1,21 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: custom:system:kube-dns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - get
+  - list
+  - watch
--- a/roles/kubernetes-apps/ansible/templates/kubedns-clusterrolebinding.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-clusterrolebinding.yml
@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: custom:system:kube-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: custom:system:kube-dns
+subjects:
+- kind: ServiceAccount
+  name: kube-dns
+  namespace: kube-system
+
--- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml
@ -112,4 +112,5 @@ spec:
        ports:
        - containerPort: 8080
          protocol: TCP
+      serviceAccountName: kube-dns
      dnsPolicy: Default  # Don't use cluster DNS.
--- a/roles/kubernetes-apps/ansible/templates/kubedns-serviceaccount.yml
+++ b/roles/kubernetes-apps/ansible/templates/kubedns-serviceaccount.yml
@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kube-dns
+  namespace: kube-system
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2
@ -56,6 +56,7 @@ spec:
          - mountPath: {{ calico_cert_dir }}
            name: etcd-certs
            readOnly: true
+      serviceAccountName: calico-policy-controller
      volumes:
      - hostPath:
          path: {{ calico_cert_dir }}