From eb8fc0fe83948d630e05bc3f937eeb4b8fc2c848 Mon Sep 17 00:00:00 2001 From: Boris Zanetti Date: Thu, 13 Apr 2017 19:18:07 +0200 Subject: [PATCH] first try of root RBAC --- roles/dnsmasq/tasks/main.yml | 3 ++ .../dnsmasq/templates/dnsmasq-autoscaler.yml | 1 + .../dnsmasq/templates/dnsmasq-clusterrole.yml | 34 +++++++++++++++++++ .../templates/dnsmasq-clusterrolebinding.yml | 13 +++++++ .../templates/dnsmasq-serviceaccount.yml | 5 +++ roles/kubernetes-apps/ansible/tasks/main.yml | 3 ++ .../ansible/templates/kubedns-autoscaler.yml | 1 + .../ansible/templates/kubedns-clusterrole.yml | 21 ++++++++++++ .../templates/kubedns-clusterrolebinding.yml | 13 +++++++ .../ansible/templates/kubedns-deploy.yml | 1 + .../templates/kubedns-serviceaccount.yml | 5 +++ .../templates/calico-policy-controller.yml.j2 | 1 + 12 files changed, 101 insertions(+) create mode 100644 roles/dnsmasq/templates/dnsmasq-clusterrole.yml create mode 100644 roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml create mode 100644 roles/dnsmasq/templates/dnsmasq-serviceaccount.yml create mode 100644 roles/kubernetes-apps/ansible/templates/kubedns-clusterrole.yml create mode 100644 roles/kubernetes-apps/ansible/templates/kubedns-clusterrolebinding.yml create mode 100644 roles/kubernetes-apps/ansible/templates/kubedns-serviceaccount.yml diff --git a/roles/dnsmasq/tasks/main.yml b/roles/dnsmasq/tasks/main.yml index edc50703d..3e59cc81e 100644 --- a/roles/dnsmasq/tasks/main.yml +++ b/roles/dnsmasq/tasks/main.yml @@ -63,6 +63,9 @@ with_items: - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment} - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc} + - {name: cluster-proportional-autoscaler, file: dnsmasq-serviceaccount.yml, type: serviceaccount} + - {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrole.yml, type: clusterrole} + - {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrolebinding.yml, type: clusterrolebinding} - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment} register: manifests delegate_to: "{{ groups['kube-master'][0] }}" diff --git a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml index 4e5e2ddcc..708e471dc 100644 --- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml +++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml @@ -47,4 +47,5 @@ spec: - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}} - --logtostderr=true - --v={{ kube_log_level }} + serviceAccountName: cluster-proportional-autoscaler diff --git a/roles/dnsmasq/templates/dnsmasq-clusterrole.yml b/roles/dnsmasq/templates/dnsmasq-clusterrole.yml new file mode 100644 index 000000000..a50b975e4 --- /dev/null +++ b/roles/dnsmasq/templates/dnsmasq-clusterrole.yml @@ -0,0 +1,34 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: cluster-proportional-autoscaler +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - list +- apiGroups: + - "" + resources: + - replicationcontrollers/scale + verbs: + - get + - update +- apiGroups: + - extensions + resources: + - deployments/scale + - replicationcontrollers/scale + - replicasets/scale + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - create diff --git a/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml new file mode 100644 index 000000000..d91d0d9eb --- /dev/null +++ b/roles/dnsmasq/templates/dnsmasq-clusterrolebinding.yml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: cluster-proportional-autoscaler +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-proportional-autoscaler +subjects: +- kind: ServiceAccount + name: cluster-proportional-autoscaler + namespace: kube-system + diff --git a/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml new file mode 100644 index 000000000..7b30a2b9e --- /dev/null +++ b/roles/dnsmasq/templates/dnsmasq-serviceaccount.yml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cluster-proportional-autoscaler + namespace: kube-system diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index ed0d11f28..6af2eb506 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -13,6 +13,9 @@ src: "{{item.file}}" dest: "{{kube_config_dir}}/{{item.file}}" with_items: + - {name: kubedns, file: kubedns-serviceaccount.yml, type: serviceaccount} + - {name: kubedns, file: kubedns-clusterrole.yml, type: clusterrole} + - {name: kubedns, file: kubedns-clusterrolebinding.yml, type: clusterrolebinding} - {name: kubedns, file: kubedns-deploy.yml, type: deployment} - {name: kubedns, file: kubedns-svc.yml, type: svc} - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment} diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml index c0f519e2c..de1298309 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml @@ -46,4 +46,5 @@ spec: - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}} - --logtostderr=true - --v=2 + serviceAccountName: cluster-proportional-autoscaler diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-clusterrole.yml b/roles/kubernetes-apps/ansible/templates/kubedns-clusterrole.yml new file mode 100644 index 000000000..63daf766d --- /dev/null +++ b/roles/kubernetes-apps/ansible/templates/kubedns-clusterrole.yml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: custom:system:kube-dns +rules: +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-clusterrolebinding.yml b/roles/kubernetes-apps/ansible/templates/kubedns-clusterrolebinding.yml new file mode 100644 index 000000000..bfc09fbc9 --- /dev/null +++ b/roles/kubernetes-apps/ansible/templates/kubedns-clusterrolebinding.yml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: custom:system:kube-dns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: custom:system:kube-dns +subjects: +- kind: ServiceAccount + name: kube-dns + namespace: kube-system + diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml index 1bae177d3..93ff85abf 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml +++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml @@ -112,4 +112,5 @@ spec: ports: - containerPort: 8080 protocol: TCP + serviceAccountName: kube-dns dnsPolicy: Default # Don't use cluster DNS. diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-serviceaccount.yml b/roles/kubernetes-apps/ansible/templates/kubedns-serviceaccount.yml new file mode 100644 index 000000000..4e5a85660 --- /dev/null +++ b/roles/kubernetes-apps/ansible/templates/kubedns-serviceaccount.yml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-dns + namespace: kube-system diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 index 322d3a37b..729386d3c 100644 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 @@ -56,6 +56,7 @@ spec: - mountPath: {{ calico_cert_dir }} name: etcd-certs readOnly: true + serviceAccountName: calico-policy-controller volumes: - hostPath: path: {{ calico_cert_dir }}