mirror of
https://github.com/kubernetes-sigs/kubespray.git
synced 2026-02-28 09:39:12 +03:00
Add RBAC support for canal (#1604)
Refactored how rbac_enabled is set Added RBAC to ubuntu-canal-ha CI job Added rbac for calico policy controller
This commit is contained in:
Matthew Mosesohn
@@ -25,12 +25,14 @@ spec:
|
||||
memory: {{ netchecker_server_memory_requests }}
|
||||
ports:
|
||||
- containerPort: 8081
|
||||
hostPort: 8081
|
||||
args:
|
||||
- "-v=5"
|
||||
- "-logtostderr"
|
||||
- "-kubeproxyinit"
|
||||
- "-endpoint=0.0.0.0:8081"
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
{% if rbac_enabled %}
|
||||
serviceAccountName: netchecker-server
|
||||
{% endif %}
|
||||
|
||||
@@ -1,20 +1,11 @@
|
||||
---
|
||||
- name: Create canal ConfigMap
|
||||
run_once: true
|
||||
- name: Canal | Start Resources
|
||||
kube:
|
||||
name: "canal-config"
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
filename: "{{kube_config_dir}}/canal-config.yaml"
|
||||
resource: "configmap"
|
||||
namespace: "{{system_namespace}}"
|
||||
|
||||
- name: Start flannel and calico-node
|
||||
run_once: true
|
||||
kube:
|
||||
name: "canal-node"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
filename: "{{kube_config_dir}}/canal-node.yaml"
|
||||
resource: "ds"
|
||||
namespace: "{{system_namespace}}"
|
||||
state: "{{ item | ternary('latest','present') }}"
|
||||
with_items: "{{ canal_node_manifest.changed }}"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
state: "{{item.changed | ternary('latest','present') }}"
|
||||
with_items: "{{ canal_manifests.results }}"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
|
||||
@@ -8,3 +8,8 @@ calico_policy_controller_memory_requests: 64M
|
||||
# SSL
|
||||
calico_cert_dir: "/etc/calico/certs"
|
||||
canal_cert_dir: "/etc/canal/certs"
|
||||
|
||||
rbac_resources:
|
||||
- sa
|
||||
- clusterrole
|
||||
- clusterrolebinding
|
||||
|
||||
@@ -1,22 +1,49 @@
|
||||
---
|
||||
- set_fact:
|
||||
- name: Set cert dir
|
||||
set_fact:
|
||||
calico_cert_dir: "{{ canal_cert_dir }}"
|
||||
when: kube_network_plugin == 'canal'
|
||||
tags: [facts, canal]
|
||||
|
||||
- name: Write calico-policy-controller yaml
|
||||
- name: Get calico-policy-controller version if running
|
||||
shell: "{{ bin_dir }}/kubectl -n {{ system_namespace }} get rs calico-policy-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}' | cut -d':' -f2"
|
||||
register: existing_calico_policy_version
|
||||
run_once: true
|
||||
failed_when: false
|
||||
|
||||
# FIXME(mattymo): This should not be necessary
|
||||
- name: Delete calico-policy-controller if an old one is installed
|
||||
kube:
|
||||
name: calico-policy-controller
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
resource: rs
|
||||
namespace: "{{ system_namespace }}"
|
||||
state: absent
|
||||
run_once: true
|
||||
when:
|
||||
- not "NotFound" in existing_calico_policy_version.stderr
|
||||
- existing_calico_policy_version.stdout | version_compare('v0.7.0', '<')
|
||||
|
||||
- name: Create calico-policy-controller manifests
|
||||
template:
|
||||
src: calico-policy-controller.yml.j2
|
||||
dest: "{{kube_config_dir}}/calico-policy-controller.yml"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
tags: canal
|
||||
src: "{{item.file}}.j2"
|
||||
dest: "{{kube_config_dir}}/{{item.file}}"
|
||||
with_items:
|
||||
- {name: calico-policy-controller, file: calico-policy-controller.yml, type: rs}
|
||||
- {name: calico-policy-controller, file: calico-policy-sa.yml, type: sa}
|
||||
- {name: calico-policy-controller, file: calico-policy-cr.yml, type: clusterrole}
|
||||
- {name: calico-policy-controller, file: calico-policy-crb.yml, type: clusterrolebinding}
|
||||
register: calico_policy_manifests
|
||||
when:
|
||||
- rbac_enabled or item.type not in rbac_resources
|
||||
|
||||
- name: Start of Calico policy controller
|
||||
kube:
|
||||
name: "calico-policy-controller"
|
||||
name: "{{item.item.name}}"
|
||||
namespace: "{{ system_namespace }}"
|
||||
kubectl: "{{bin_dir}}/kubectl"
|
||||
filename: "{{kube_config_dir}}/calico-policy-controller.yml"
|
||||
namespace: "{{system_namespace}}"
|
||||
resource: "rs"
|
||||
resource: "{{item.item.type}}"
|
||||
filename: "{{kube_config_dir}}/{{item.item.file}}"
|
||||
state: "{{item.changed | ternary('latest','present') }}"
|
||||
with_items: "{{ calico_policy_manifests.results }}"
|
||||
when: inventory_hostname == groups['kube-master'][0]
|
||||
tags: canal
|
||||
|
||||
@@ -15,15 +15,18 @@ spec:
|
||||
template:
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
namespace: {{system_namespace}}
|
||||
namespace: {{ system_namespace }}
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
k8s-app: calico-policy
|
||||
spec:
|
||||
hostNetwork: true
|
||||
{% if rbac_enabled %}
|
||||
serviceAccountName: calico-policy-controller
|
||||
{% endif %}
|
||||
tolerations:
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
- effect: NoSchedule
|
||||
operator: Exists
|
||||
containers:
|
||||
- name: calico-policy-controller
|
||||
image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
|
||||
|
||||
@@ -0,0 +1,17 @@
|
||||
---
|
||||
kind: ClusterRole
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
namespace: {{ system_namespace }}
|
||||
rules:
|
||||
- apiGroups:
|
||||
- ""
|
||||
- extensions
|
||||
resources:
|
||||
- pods
|
||||
- namespaces
|
||||
- networkpolicies
|
||||
verbs:
|
||||
- watch
|
||||
- list
|
||||
@@ -0,0 +1,13 @@
|
||||
---
|
||||
kind: ClusterRoleBinding
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: calico-policy-controller
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: calico-policy-controller
|
||||
namespace: {{ system_namespace }}
|
||||
@@ -0,0 +1,8 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: calico-policy-controller
|
||||
namespace: {{ system_namespace }}
|
||||
labels:
|
||||
kubernetes.io/cluster-service: "true"
|
||||
Reference in New Issue
Block a user