Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Kubernetes RBAC support #591

Merged
merged 1 commit into from
Jan 20, 2017
Merged

Add Kubernetes RBAC support #591

merged 1 commit into from
Jan 20, 2017

Conversation

andrewrynhard
Copy link
Contributor

@andrewrynhard andrewrynhard commented Jan 15, 2017
edited
Loading

This PR adds RBAC support.

@liggitt

liggitt
liggitt reviewed Jan 16, 2017
View reviewed changes
Documentation/kube-flannel-rbac.yml
kind: ServiceAccount
metadata:
name: flannel
namespace: kube-system
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rather than hardcoding the kube-system namespace and duplicating the config/pod spec from the main example, I would include the service account in the core kubernetes yml example (without the namespace), make the core example use a bespoke service account, limit this file to the clusterrole with the required permissions, and document the kubectl command to grant the clusterrole to the flannel service account in the desired namespace

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ahh yes. Will fix now.

@andrewrynhard
Copy link
Contributor Author

@liggitt updated. Is this what you had in mind?

liggitt
liggitt reviewed Jan 17, 2017
View reviewed changes
Copy link

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Close. I'd keep the clusterrole and RBAC related comment in a separate file they can optionally create. That keeps the main example clean for clusters that don't use RBAC

Documentation/kube-flannel.yml
@@ -42,6 +69,7 @@ spec:
hostNetwork: true
nodeSelector:
beta.kubernetes.io/arch: amd64
serviceAccount: flannel
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

serviceAccountName is the non-deprecated field

@andrewrynhard andrewrynhard force-pushed the rbac branch 3 times, most recently from b0f90ba to 97acf0c Compare January 17, 2017 01:07
@liggitt
Copy link

liggitt commented Jan 17, 2017

Looks good to me

liggitt
liggitt reviewed Jan 20, 2017
View reviewed changes
Documentation/kube-flannel-rbac.yml
# $ kubectl create --namespace kube-system -f kube-flannel.yml
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1alpha1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might want to switch this to v1beta1 for longevity

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, fixing now

@tomdee
Copy link
Contributor

tomdee commented Jan 20, 2017

LGTM - merging

@tomdee tomdee merged commit 5c5934e into flannel-io:master Jan 20, 2017
@andrewrynhard andrewrynhard deleted the rbac branch July 13, 2017 14:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andrewrynhard @liggitt @tomdee @alexanderilyin