From 67c9683b756b76a3d0e25823b59fa16863c0a380 Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Tue, 28 Mar 2017 21:50:11 -0400
Subject: [PATCH] Add RBAC permissions for dns-controller

---
 .../v1.6.0.yaml.template                      | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)

diff --git a/upup/models/cloudup/resources/addons/dns-controller.addons.k8s.io/v1.6.0.yaml.template b/upup/models/cloudup/resources/addons/dns-controller.addons.k8s.io/v1.6.0.yaml.template
index 14e1c0496a..8740635ce4 100644
--- a/upup/models/cloudup/resources/addons/dns-controller.addons.k8s.io/v1.6.0.yaml.template
+++ b/upup/models/cloudup/resources/addons/dns-controller.addons.k8s.io/v1.6.0.yaml.template
@@ -28,6 +28,7 @@ spec:
         node-role.kubernetes.io/master: ""
       dnsPolicy: Default  # Don't use cluster DNS (we are likely running before kube-dns)
       hostNetwork: true
+      serviceAccount: dns-controller
       containers:
       - name: dns-controller
         image: kope/dns-controller:1.5.2
@@ -39,3 +40,52 @@ spec:
           requests:
             cpu: 50m
             memory: 50Mi
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: dns-controller
+  namespace: kube-system
+  labels:
+    k8s-addon: dns-controller.addons.k8s.io
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  labels:
+    k8s-addon: dns-controller.addons.k8s.io
+  name: kops:dns-controller
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - endpoints
+  - services
+  - pods
+  - ingress
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    k8s-addon: dns-controller.addons.k8s.io
+  name: kops:dns-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kops:dns-controller
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: system:serviceaccount:kube-system:dns-controller