Always create service account even rbac_enabled = false

2026-02-28 09:39:12 +03:00 · 2018-08-22 11:41:29 +08:00
parent 7398858572
commit c3b3572025
34 changed files with 3 additions and 78 deletions
--- a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml
@@ -8,8 +8,3 @@ calico_policy_controller_memory_requests: 64M
 # SSL
 calico_cert_dir: "/etc/calico/certs"
 canal_cert_dir: "/etc/canal/certs"
-
-rbac_resources:
-  - sa
-  - clusterrole
-  - clusterrolebinding
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -26,8 +26,7 @@
    - {name: calico-kube-controllers, file: calico-kube-cr.yml, type: clusterrole}
    - {name: calico-kube-controllers, file: calico-kube-crb.yml, type: clusterrolebinding}
  register: calico_kube_manifests
-  when:
-    - rbac_enabled or item.type not in rbac_resources
+  when: inventory_hostname == groups['kube-master'][0] and not item|skipped

 - name: Start of Calico kube controllers
  kube:
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -21,9 +21,7 @@ spec:
        k8s-app: calico-kube-controllers
    spec:
      hostNetwork: true
-{% if rbac_enabled %}
      serviceAccountName: calico-kube-controllers
-{% endif %}
      tolerations:
        - effect: NoSchedule
          operator: Exists