mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2025-12-14 05:45:06 +03:00
Fix calico etcd mode networkpolicy RBAC (#12587)
Co-authored-by: Chad Swenson <chadswen@gmail.com>
This commit is contained in:
k8s-infra-cherrypick-robot
committed by
GitHub
GitHub
parent
e52f788942
commit
2336d54088
@@ -6,19 +6,26 @@ metadata:
|
|||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
rules:
|
rules:
|
||||||
{% if calico_datastore == "etcd" %}
|
{% if calico_datastore == "etcd" %}
|
||||||
- apiGroups:
|
# Pods are monitored for changing labels.
|
||||||
- ""
|
# The node controller monitors Kubernetes nodes.
|
||||||
- extensions
|
# Namespace and serviceaccount labels are used for policy.
|
||||||
|
- apiGroups: [""]
|
||||||
resources:
|
resources:
|
||||||
- pods
|
- pods
|
||||||
- namespaces
|
|
||||||
- networkpolicies
|
|
||||||
- nodes
|
- nodes
|
||||||
|
- namespaces
|
||||||
- serviceaccounts
|
- serviceaccounts
|
||||||
verbs:
|
verbs:
|
||||||
- watch
|
- watch
|
||||||
- list
|
- list
|
||||||
- get
|
- get
|
||||||
|
# Watch for changes to Kubernetes NetworkPolicies.
|
||||||
|
- apiGroups: ["networking.k8s.io"]
|
||||||
|
resources:
|
||||||
|
- networkpolicies
|
||||||
|
verbs:
|
||||||
|
- watch
|
||||||
|
- list
|
||||||
{% elif calico_datastore == "kdd" %}
|
{% elif calico_datastore == "kdd" %}
|
||||||
# Nodes are watched to monitor for deletions.
|
# Nodes are watched to monitor for deletions.
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
|
|||||||
Reference in New Issue
Block a user