From 9a4aa4288cc6bcbe4bc1601540c3f466e138dcb9 Mon Sep 17 00:00:00 2001 From: MQasimSarfraz Date: Mon, 12 Mar 2018 18:07:08 +0000 Subject: [PATCH 1/2] Fix vsphere cloud_provider RBAC permissions --- .../cluster_roles/tasks/main.yml | 27 ++++++++++++++ .../templates/vsphere-rbac.yml.j2 | 35 +++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index 3f696a9fe..f9c5fc9b2 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -75,6 +75,33 @@ - node_webhook_crb_manifest.changed tags: node-webhook +- name: Write vsphere-cloud-provider ClusterRole manifest + template: + src: "vsphere-rbac.yml.j2" + dest: "{{ kube_config_dir }}/vsphere-rbac.yml" + register: vsphere_rbac_manifest + when: + - rbac_enabled + - cloud_provider is defined + - cloud_provider == 'vsphere' + - kube_version | version_compare('v1.9.0', '>=') + tags: vsphere + +- name: Apply vsphere-cloud-provider ClusterRole + kube: + name: "system:vsphere-cloud-provider" + kubectl: "{{bin_dir}}/kubectl" + resource: "clusterrolebinding" + filename: "{{ kube_config_dir }}/vsphere-rbac.yml" + state: latest + when: + - rbac_enabled + - cloud_provider is defined + - cloud_provider == 'vsphere' + - vsphere_rbac_manifest.changed + - kube_version | version_compare('v1.9.0', '>=') + tags: vsphere + # This is not a cluster role, but should be run after kubeconfig is set on master - name: Write kube system namespace manifest template: diff --git a/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 b/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 new file mode 100644 index 000000000..99da0462f --- /dev/null +++ b/roles/kubernetes-apps/cluster_roles/templates/vsphere-rbac.yml.j2 @@ -0,0 +1,35 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system:vsphere-cloud-provider +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - update + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system:vsphere-cloud-provider +roleRef: + kind: ClusterRole + name: system:vsphere-cloud-provider + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: vsphere-cloud-provider + namespace: kube-system From 1bcc641daead5b79d9a6c2335712f3cffb241829 Mon Sep 17 00:00:00 2001 From: MQasimSarfraz Date: Wed, 14 Mar 2018 11:23:22 +0000 Subject: [PATCH 2/2] Create vsphere clusterrole only if it doesnt exists --- .../cluster_roles/tasks/main.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/roles/kubernetes-apps/cluster_roles/tasks/main.yml b/roles/kubernetes-apps/cluster_roles/tasks/main.yml index f9c5fc9b2..5dbf49092 100644 --- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml +++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml @@ -75,6 +75,18 @@ - node_webhook_crb_manifest.changed tags: node-webhook +- name: Check if vsphere-cloud-provider ClusterRole exists + command: "{{ bin_dir }}/kubectl get clusterroles system:vsphere-cloud-provider" + register: vsphere_cloud_provider + ignore_errors: true + when: + - rbac_enabled + - cloud_provider is defined + - cloud_provider == 'vsphere' + - kube_version | version_compare('v1.9.0', '>=') + - kube_version | version_compare('v1.9.3', '<=') + tags: vsphere + - name: Write vsphere-cloud-provider ClusterRole manifest template: src: "vsphere-rbac.yml.j2" @@ -84,7 +96,9 @@ - rbac_enabled - cloud_provider is defined - cloud_provider == 'vsphere' + - vsphere_cloud_provider.rc != 0 - kube_version | version_compare('v1.9.0', '>=') + - kube_version | version_compare('v1.9.3', '<=') tags: vsphere - name: Apply vsphere-cloud-provider ClusterRole @@ -98,8 +112,9 @@ - rbac_enabled - cloud_provider is defined - cloud_provider == 'vsphere' - - vsphere_rbac_manifest.changed + - vsphere_cloud_provider.rc != 0 - kube_version | version_compare('v1.9.0', '>=') + - kube_version | version_compare('v1.9.3', '<=') tags: vsphere # This is not a cluster role, but should be run after kubeconfig is set on master