kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6312 from gambol99/fix_kubelet_api_admin 

Fix kubelet api admin
This commit is contained in:
Kubernetes Prow Robot 2019-01-08 08:45:08 -08:00 committed by GitHub
parent 770f68c41a ebd91354bb
commit 01bc535dcf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 65 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
upup/models/cloudup/resources/addons/rbac.addons.k8s.io/kubelet-api-admin.yaml Normal file
View File

@ -0,0 +1,14 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: kops:system:kubelet-api-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kubelet-api-admin
subjects:
# TODO: perhaps change the client cerificate, place into a group and using a group selector instead?
- apiGroup: rbac.authorization.k8s.io
kind: User
name: kubelet-api

23
upup/pkg/fi/cloudup/bootstrapchannelbuilder.go
View File

@ -265,6 +265,29 @@ func (b *BootstrapChannelBuilder) buildManifest() (*channelsapi.Addons, map[stri
}
}
{
// Adding the kubelet-api-admin binding: this is required when switching to webhook authorization on the kubelet
// docs: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#other-component-roles
// issue: https://github.com/kubernetes/kops/issues/5176
key := "rbac.addons.k8s.io"
version := "v0.0.1"
{
id := "kubelet-api-admin"
location := key + "/kubelet-api-admin.yaml"
addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{
Name: fi.String(key),
Version: fi.String(version),
Selector: map[string]string{"k8s-addon": key},
Manifest: fi.String(location),
KubernetesVersion: ">=1.9.0",
Id: id,
})
manifests[key+"-"+id] = "addons/" + location
}
}
{
key := "limit-range.addons.k8s.io"
version := "1.5.0"

7
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/cilium/manifest.yaml
View File

@ -30,6 +30,13 @@ spec:
selector:
k8s-addon: rbac.addons.k8s.io
version: 1.8.0
- id: kubelet-api-admin
kubernetesVersion: '>=1.9.0'
manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml
name: rbac.addons.k8s.io
selector:
k8s-addon: rbac.addons.k8s.io
version: v0.0.1
- manifest: limit-range.addons.k8s.io/v1.5.0.yaml
name: limit-range.addons.k8s.io
selector:

7
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/kopeio-vxlan/manifest.yaml
View File

@ -30,6 +30,13 @@ spec:
selector:
k8s-addon: rbac.addons.k8s.io
version: 1.8.0
- id: kubelet-api-admin
kubernetesVersion: '>=1.9.0'
manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml
name: rbac.addons.k8s.io
selector:
k8s-addon: rbac.addons.k8s.io
version: v0.0.1
- manifest: limit-range.addons.k8s.io/v1.5.0.yaml
name: limit-range.addons.k8s.io
selector:

7
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/simple/manifest.yaml
View File

@ -30,6 +30,13 @@ spec:
selector:
k8s-addon: rbac.addons.k8s.io
version: 1.8.0
- id: kubelet-api-admin
kubernetesVersion: '>=1.9.0'
manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml
name: rbac.addons.k8s.io
selector:
k8s-addon: rbac.addons.k8s.io
version: v0.0.1
- manifest: limit-range.addons.k8s.io/v1.5.0.yaml
name: limit-range.addons.k8s.io
selector:

7
upup/pkg/fi/cloudup/tests/bootstrapchannelbuilder/weave/manifest.yaml
View File

@ -30,6 +30,13 @@ spec:
selector:
k8s-addon: rbac.addons.k8s.io
version: 1.8.0
- id: kubelet-api-admin
kubernetesVersion: '>=1.9.0'
manifest: rbac.addons.k8s.io/kubelet-api-admin.yaml
name: rbac.addons.k8s.io
selector:
k8s-addon: rbac.addons.k8s.io
version: v0.0.1
- manifest: limit-range.addons.k8s.io/v1.5.0.yaml
name: limit-range.addons.k8s.io
selector: