binding group system:nodes to clusterrole calico-role

roles/download/tasks/main.yml

@@ -191,7 +191,7 @@
     src: "{{ fname }}"
     dest: "{{ fname }}"
     mode: push
-  delegate_to: localhost
+  #delegate_to: localhost
   become: false
   register: get_task
   until: get_task|succeeded

roles/kubernetes-apps/policy_controller/calico/tasks/main.yml

@@ -3,7 +3,7 @@
   when: kube_network_plugin == 'canal'
   tags: [facts, canal]
 
-- name: Lay Down calico-policy-controller Template
+- name: Lay Down calico-policy-controller RBAC Template
   template:
     src: "{{item.file}}"
     dest: "{{kube_config_dir}}/{{item.file}}"
@@ -15,7 +15,7 @@
   when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
   tags: canal
 
-- name: Create calico-policy-controller Resources
+- name: Create calico-policy-controller RBAC Resources
   kube:
     name: "{{item.item.name}}"
     namespace: "{{ system_namespace }}"

roles/network_plugin/calico/tasks/main.yml

@@ -195,6 +195,28 @@
   when: secret_changed|default(false) or etcd_secret_changed|default(false)
   notify: restart calico-node
 
+- name: Lay Down calico-node RBAC Template
+  template:
+    src: "{{item.file}}"
+    dest: "{{kube_config_dir}}/{{item.file}}"
+  with_items:
+    - {name: calico-node, file: calico-node-clusterrole.yml, type: clusterrole}
+    - {name: calico-node, file: calico-node-clusterrolebinding.yml, type: clusterrolebinding}
+  register: manifests
+  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+
+- name: Create calico-node RBAC Resources
+  kube:
+    name: "{{item.item.name}}"
+    namespace: "{{ system_namespace }}"
+    kubectl: "{{bin_dir}}/kubectl"
+    resource: "{{item.item.type}}"
+    filename: "{{kube_config_dir}}/{{item.item.file}}"
+    state: "{{item.changed | ternary('latest','present') }}"
+  with_items: "{{ manifests.results }}"
+  failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg
+  when: inventory_hostname == groups['kube-master'][0] and rbac_enabled
+
 - meta: flush_handlers
 
 - name: Calico | Enable calico-node

roles/network_plugin/calico/templates/calico-node-clusterrole.yml

@@ -0,0 +1,12 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-node
+  namespace: {{ system_namespace }}
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+    verbs:
+      - get

roles/network_plugin/calico/templates/calico-node-clusterrolebinding.yml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-node
+subjects:
+- kind: Group
+  name: system:nodes
+  namespace: kube-system