From c9734b6d7bcb8ba69295bba07bb54697fb992a93 Mon Sep 17 00:00:00 2001 From: jwfang <54740235@qq.com> Date: Tue, 4 Jul 2017 20:03:55 +0800 Subject: [PATCH] run calico-policy-controller with proper sa/role/rolebinding --- .../policy_controller/calico/tasks/main.yml | 25 +++++++++++++++++++ .../calico-policy-controller-clusterrole.yml | 16 ++++++++++++ ...o-policy-controller-clusterrolebinding.yml | 12 +++++++++ .../templates/calico-policy-controller-sa.yml | 7 ++++++ .../templates/calico-policy-controller.yml.j2 | 3 +++ 5 files changed, 63 insertions(+) create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml create mode 100644 roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml diff --git a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml index 8b4271d6a..02aac8988 100644 --- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml +++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml @@ -3,6 +3,31 @@ when: kube_network_plugin == 'canal' tags: [facts, canal] +- name: Lay Down calico-policy-controller Template + template: + src: "{{item.file}}" + dest: "{{kube_config_dir}}/{{item.file}}" + with_items: + - {name: calico-policy-controller, file: calico-policy-controller-sa.yml, type: sa} + - {name: calico-policy-controller, file: calico-policy-controller-clusterrole.yml, type: clusterrole} + - {name: calico-policy-controller, file: calico-policy-controller-clusterrolebinding.yml, type: clusterrolebinding} + register: manifests + when: inventory_hostname == groups['kube-master'][0] and rbac_enabled + tags: canal + +- name: Create calico-policy-controller Resources + kube: + name: "{{item.item.name}}" + namespace: "{{ system_namespace }}" + kubectl: "{{bin_dir}}/kubectl" + resource: "{{item.item.type}}" + filename: "{{kube_config_dir}}/{{item.item.file}}" + state: "{{item.changed | ternary('latest','present') }}" + with_items: "{{ manifests.results }}" + failed_when: manifests|failed and "Error from server (AlreadyExists)" not in manifests.msg + when: inventory_hostname == groups['kube-master'][0] and rbac_enabled + tags: canal + - name: Write calico-policy-controller yaml template: src: calico-policy-controller.yml.j2 diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml new file mode 100644 index 000000000..3b71b9001 --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrole.yml @@ -0,0 +1,16 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller + namespace: {{ system_namespace }} +rules: + - apiGroups: + - "" + - extensions + resources: + - pods + - namespaces + - networkpolicies + verbs: + - watch + - list diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml new file mode 100644 index 000000000..535865f01 --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-clusterrolebinding.yml @@ -0,0 +1,12 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: calico-policy-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-policy-controller +subjects: +- kind: ServiceAccount + name: calico-policy-controller + namespace: {{ system_namespace }} diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml new file mode 100644 index 000000000..388f12977 --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller-sa.yml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-policy-controller + namespace: {{ system_namespace }} + labels: + kubernetes.io/cluster-service: "true" diff --git a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 index 322d3a37b..9639fed82 100644 --- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 @@ -60,3 +60,6 @@ spec: - hostPath: path: {{ calico_cert_dir }} name: etcd-certs +{% if rbac_enabled %} + serviceAccountName: calico-policy-controller +{% endif %}