From 2b07f91d3e0ab107da911c03ec46a30b6e0f439d Mon Sep 17 00:00:00 2001 From: Imran Pochi Date: Thu, 22 Oct 2020 13:53:44 +0530 Subject: [PATCH] calico: move RBAC and SA into correct location This commit adds calico-kube-controllers ServiceAccount, ClusterRoleBinding and ClusterRole to the correct location `cluster-role-binding.yaml`, `cluster-role.yaml` and `service-account.yaml`. Signed-off-by: Imran Pochi --- .../templates/cluster-role-binding.yaml | 15 ++++ .../calico/templates/cluster-role.yaml | 71 +++++++++++++++ .../calico/templates/deployment.yaml | 89 ------------------- .../calico/templates/service-account.yaml | 8 ++ 4 files changed, 94 insertions(+), 89 deletions(-) diff --git a/assets/charts/control-plane/calico/templates/cluster-role-binding.yaml b/assets/charts/control-plane/calico/templates/cluster-role-binding.yaml index f76449264..0f19304ad 100644 --- a/assets/charts/control-plane/calico/templates/cluster-role-binding.yaml +++ b/assets/charts/control-plane/calico/templates/cluster-role-binding.yaml @@ -1,3 +1,4 @@ +--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -10,3 +11,17 @@ subjects: - kind: ServiceAccount name: calico-node namespace: kube-system +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-kube-controllers +subjects: +- kind: ServiceAccount + name: calico-kube-controllers + namespace: kube-system +--- diff --git a/assets/charts/control-plane/calico/templates/cluster-role.yaml b/assets/charts/control-plane/calico/templates/cluster-role.yaml index 262496581..dbfdfadfb 100644 --- a/assets/charts/control-plane/calico/templates/cluster-role.yaml +++ b/assets/charts/control-plane/calico/templates/cluster-role.yaml @@ -136,3 +136,74 @@ rules: - daemonsets verbs: - get +--- +# Include a clusterrole for the kube-controllers component, +# and bind it to the calico-kube-controllers serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +rules: + # Nodes are watched to monitor for deletions. + - apiGroups: [""] + resources: + - nodes + verbs: + - watch + - list + - get + # Pods are queried to check for existence. + - apiGroups: [""] + resources: + - pods + verbs: + - get + # IPAM resources are manipulated when nodes are deleted. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + verbs: + - list + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + # kube-controllers manages hostendpoints. + - apiGroups: ["crd.projectcalico.org"] + resources: + - hostendpoints + verbs: + - get + - list + - create + - update + - delete + # Needs access to update clusterinformations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - clusterinformations + verbs: + - get + - create + - update + # KubeControllersConfiguration is where it gets its config + - apiGroups: ["crd.projectcalico.org"] + resources: + - kubecontrollersconfigurations + verbs: + # read its own config + - get + # create a default if none exists + - create + # update status + - update + # watch for changes + - watch +--- diff --git a/assets/charts/control-plane/calico/templates/deployment.yaml b/assets/charts/control-plane/calico/templates/deployment.yaml index f89a940c9..e21c660a8 100644 --- a/assets/charts/control-plane/calico/templates/deployment.yaml +++ b/assets/charts/control-plane/calico/templates/deployment.yaml @@ -52,92 +52,3 @@ spec: resources: requests: memory: 20Mi ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: calico-kube-controllers - namespace: kube-system ---- -# Include a clusterrole for the kube-controllers component, -# and bind it to the calico-kube-controllers serviceaccount. -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-kube-controllers -rules: - # Nodes are watched to monitor for deletions. - - apiGroups: [""] - resources: - - nodes - verbs: - - watch - - list - - get - # Pods are queried to check for existence. - - apiGroups: [""] - resources: - - pods - verbs: - - get - # IPAM resources are manipulated when nodes are deleted. - - apiGroups: ["crd.projectcalico.org"] - resources: - - ippools - verbs: - - list - - apiGroups: ["crd.projectcalico.org"] - resources: - - blockaffinities - - ipamblocks - - ipamhandles - verbs: - - get - - list - - create - - update - - delete - # kube-controllers manages hostendpoints. - - apiGroups: ["crd.projectcalico.org"] - resources: - - hostendpoints - verbs: - - get - - list - - create - - update - - delete - # Needs access to update clusterinformations. - - apiGroups: ["crd.projectcalico.org"] - resources: - - clusterinformations - verbs: - - get - - create - - update - # KubeControllersConfiguration is where it gets its config - - apiGroups: ["crd.projectcalico.org"] - resources: - - kubecontrollersconfigurations - verbs: - # read its own config - - get - # create a default if none exists - - create - # update status - - update - # watch for changes - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: calico-kube-controllers -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: calico-kube-controllers -subjects: -- kind: ServiceAccount - name: calico-kube-controllers - namespace: kube-system diff --git a/assets/charts/control-plane/calico/templates/service-account.yaml b/assets/charts/control-plane/calico/templates/service-account.yaml index f16b4b0e0..23dbf27c8 100644 --- a/assets/charts/control-plane/calico/templates/service-account.yaml +++ b/assets/charts/control-plane/calico/templates/service-account.yaml @@ -1,5 +1,13 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: name: calico-node namespace: kube-system +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-kube-controllers + namespace: kube-system +---