first try of root RBAC

This commit is contained in:
Boris Zanetti 2017-04-13 19:18:07 +02:00 committed by nhaveric
parent fec5bfde1f
commit eb8fc0fe83
12 changed files with 101 additions and 0 deletions

View file

@ -63,6 +63,9 @@
with_items: with_items:
- {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment} - {name: dnsmasq, file: dnsmasq-deploy.yml, type: deployment}
- {name: dnsmasq, file: dnsmasq-svc.yml, type: svc} - {name: dnsmasq, file: dnsmasq-svc.yml, type: svc}
- {name: cluster-proportional-autoscaler, file: dnsmasq-serviceaccount.yml, type: serviceaccount}
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrole.yml, type: clusterrole}
- {name: cluster-proportional-autoscaler, file: dnsmasq-clusterrolebinding.yml, type: clusterrolebinding}
- {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment} - {name: dnsmasq-autoscaler, file: dnsmasq-autoscaler.yml, type: deployment}
register: manifests register: manifests
delegate_to: "{{ groups['kube-master'][0] }}" delegate_to: "{{ groups['kube-master'][0] }}"

View file

@ -47,4 +47,5 @@ spec:
- --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}} - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}}
- --logtostderr=true - --logtostderr=true
- --v={{ kube_log_level }} - --v={{ kube_log_level }}
serviceAccountName: cluster-proportional-autoscaler

View file

@ -0,0 +1,34 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: cluster-proportional-autoscaler
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- apiGroups:
- ""
resources:
- replicationcontrollers/scale
verbs:
- get
- update
- apiGroups:
- extensions
resources:
- deployments/scale
- replicationcontrollers/scale
- replicasets/scale
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- create

View file

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: cluster-proportional-autoscaler
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-proportional-autoscaler
subjects:
- kind: ServiceAccount
name: cluster-proportional-autoscaler
namespace: kube-system

View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: cluster-proportional-autoscaler
namespace: kube-system

View file

@ -13,6 +13,9 @@
src: "{{item.file}}" src: "{{item.file}}"
dest: "{{kube_config_dir}}/{{item.file}}" dest: "{{kube_config_dir}}/{{item.file}}"
with_items: with_items:
- {name: kubedns, file: kubedns-serviceaccount.yml, type: serviceaccount}
- {name: kubedns, file: kubedns-clusterrole.yml, type: clusterrole}
- {name: kubedns, file: kubedns-clusterrolebinding.yml, type: clusterrolebinding}
- {name: kubedns, file: kubedns-deploy.yml, type: deployment} - {name: kubedns, file: kubedns-deploy.yml, type: deployment}
- {name: kubedns, file: kubedns-svc.yml, type: svc} - {name: kubedns, file: kubedns-svc.yml, type: svc}
- {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment} - {name: kubedns-autoscaler, file: kubedns-autoscaler.yml, type: deployment}

View file

@ -46,4 +46,5 @@ spec:
- --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}} - --default-params={"linear":{"nodesPerReplica":{{ kubedns_nodes_per_replica }},"min":{{ kubedns_min_replicas }}}}
- --logtostderr=true - --logtostderr=true
- --v=2 - --v=2
serviceAccountName: cluster-proportional-autoscaler

View file

@ -0,0 +1,21 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: custom:system:kube-dns
rules:
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch

View file

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: custom:system:kube-dns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: custom:system:kube-dns
subjects:
- kind: ServiceAccount
name: kube-dns
namespace: kube-system

View file

@ -112,4 +112,5 @@ spec:
ports: ports:
- containerPort: 8080 - containerPort: 8080
protocol: TCP protocol: TCP
serviceAccountName: kube-dns
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.

View file

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-dns
namespace: kube-system

View file

@ -56,6 +56,7 @@ spec:
- mountPath: {{ calico_cert_dir }} - mountPath: {{ calico_cert_dir }}
name: etcd-certs name: etcd-certs
readOnly: true readOnly: true
serviceAccountName: calico-policy-controller
volumes: volumes:
- hostPath: - hostPath:
path: {{ calico_cert_dir }} path: {{ calico_cert_dir }}