Browse Source

Merge pull request #2457 from MQasimSarfraz/vsphere-volumes-rbac

Fix vsphere cloud_provider RBAC permissions
pull/2487/head
Brad Beam 6 years ago
committed by GitHub
parent
commit
4ff17cb5a5
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 77 additions and 0 deletions
  1. 42
      roles/kubernetes-apps/cluster_roles/tasks/main.yml
  2. 35
      roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2

42
roles/kubernetes-apps/cluster_roles/tasks/main.yml

@ -75,6 +75,48 @@
- node_webhook_crb_manifest.changed
tags: node-webhook
- name: Check if vsphere-cloud-provider ClusterRole exists
command: "{{ bin_dir }}/kubectl get clusterroles system:vsphere-cloud-provider"
register: vsphere_cloud_provider
ignore_errors: true
when:
- rbac_enabled
- cloud_provider is defined
- cloud_provider == 'vsphere'
- kube_version | version_compare('v1.9.0', '>=')
- kube_version | version_compare('v1.9.3', '<=')
tags: vsphere
- name: Write vsphere-cloud-provider ClusterRole manifest
template:
src: "vsphere-rbac.yml.j2"
dest: "{{ kube_config_dir }}/vsphere-rbac.yml"
register: vsphere_rbac_manifest
when:
- rbac_enabled
- cloud_provider is defined
- cloud_provider == 'vsphere'
- vsphere_cloud_provider.rc != 0
- kube_version | version_compare('v1.9.0', '>=')
- kube_version | version_compare('v1.9.3', '<=')
tags: vsphere
- name: Apply vsphere-cloud-provider ClusterRole
kube:
name: "system:vsphere-cloud-provider"
kubectl: "{{bin_dir}}/kubectl"
resource: "clusterrolebinding"
filename: "{{ kube_config_dir }}/vsphere-rbac.yml"
state: latest
when:
- rbac_enabled
- cloud_provider is defined
- cloud_provider == 'vsphere'
- vsphere_cloud_provider.rc != 0
- kube_version | version_compare('v1.9.0', '>=')
- kube_version | version_compare('v1.9.3', '<=')
tags: vsphere
# This is not a cluster role, but should be run after kubeconfig is set on master
- name: Write kube system namespace manifest
template:

35
roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2

@ -0,0 +1,35 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: system:vsphere-cloud-provider
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:vsphere-cloud-provider
roleRef:
kind: ClusterRole
name: system:vsphere-cloud-provider
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: ServiceAccount
name: vsphere-cloud-provider
namespace: kube-system
Loading…
Cancel
Save