mirror of https://github.com/kubernetes/kops.git
Move bootstrap RBAC from protokube to core bootstrap addon
This commit is contained in:
John Gardiner Myers
parent
44c07e2d13
commit
62c4ce4d93
|
|
@ -161,7 +161,6 @@ type ProtokubeFlags struct {
|
|||
Containerized *bool `json:"containerized,omitempty" flag:"containerized"`
|
||||
DNSInternalSuffix *string `json:"dnsInternalSuffix,omitempty" flag:"dns-internal-suffix"`
|
||||
DNSProvider *string `json:"dnsProvider,omitempty" flag:"dns"`
|
||||
InitializeRBAC *bool `json:"initializeRBAC,omitempty" flag:"initialize-rbac"`
|
||||
LogLevel *int32 `json:"logLevel,omitempty" flag:"v"`
|
||||
Master *bool `json:"master,omitempty" flag:"master"`
|
||||
Zone []string `json:"zone,omitempty" flag:"zone"`
|
||||
|
|
@ -196,8 +195,6 @@ func (t *ProtokubeBuilder) ProtokubeFlags(k8sVersion semver.Version) (*Protokube
|
|||
Master: b(t.IsMaster),
|
||||
}
|
||||
|
||||
f.InitializeRBAC = fi.Bool(true)
|
||||
|
||||
zone := t.Cluster.Spec.DNSZone
|
||||
if zone != "" {
|
||||
if strings.Contains(zone, ".") {
|
||||
|
|
|
|||
|
|
@ -63,13 +63,12 @@ func main() {
|
|||
// run is responsible for running the protokube service controller
|
||||
func run() error {
|
||||
var zones []string
|
||||
var initializeRBAC, containerized, master bool
|
||||
var containerized, master bool
|
||||
var cloud, clusterID, dnsProviderID, dnsInternalSuffix, gossipSecret, gossipListen, gossipProtocol, gossipSecretSecondary, gossipListenSecondary, gossipProtocolSecondary string
|
||||
var flagChannels string
|
||||
var dnsUpdateInterval int
|
||||
|
||||
flag.BoolVar(&containerized, "containerized", containerized, "Set if we are running containerized.")
|
||||
flag.BoolVar(&initializeRBAC, "initialize-rbac", initializeRBAC, "Set if we should initialize RBAC")
|
||||
flag.BoolVar(&master, "master", master, "Whether or not this node is a master")
|
||||
flag.StringVar(&cloud, "cloud", "aws", "CloudProvider we are using (aws,digitalocean,gce,openstack)")
|
||||
flag.StringVar(&clusterID, "cluster-id", clusterID, "Cluster ID")
|
||||
|
|
@ -375,7 +374,6 @@ func run() error {
|
|||
NodeName: nodeName,
|
||||
Channels: channels,
|
||||
DNS: dnsProvider,
|
||||
InitializeRBAC: initializeRBAC,
|
||||
InternalDNSSuffix: dnsInternalSuffix,
|
||||
InternalIP: internalIP,
|
||||
Kubernetes: protokube.NewKubernetesContext(),
|
||||
|
|
|
|||
|
|
@ -16,7 +16,6 @@ go_library(
|
|||
"kube_dns.go",
|
||||
"labeler.go",
|
||||
"openstack_volume.go",
|
||||
"rbac.go",
|
||||
"tainter.go",
|
||||
"utils.go",
|
||||
"volumes.go",
|
||||
|
|
@ -56,9 +55,6 @@ go_library(
|
|||
"//vendor/github.com/gophercloud/gophercloud/openstack/compute/v2/extensions/volumeattach:go_default_library",
|
||||
"//vendor/golang.org/x/oauth2:go_default_library",
|
||||
"//vendor/google.golang.org/api/compute/v1:go_default_library",
|
||||
"//vendor/k8s.io/api/core/v1:go_default_library",
|
||||
"//vendor/k8s.io/api/rbac/v1beta1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/errors:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/types:go_default_library",
|
||||
"//vendor/k8s.io/client-go/kubernetes:go_default_library",
|
||||
|
|
|
|||
|
|
@ -35,8 +35,6 @@ var (
|
|||
type KubeBoot struct {
|
||||
// Channels is a list of channel to apply
|
||||
Channels []string
|
||||
// InitializeRBAC should be set to true if we should create the core RBAC roles
|
||||
InitializeRBAC bool
|
||||
// InternalDNSSuffix is the dns zone we are living in
|
||||
InternalDNSSuffix string
|
||||
// InternalIP is the internal ip address of the node
|
||||
|
|
@ -92,11 +90,6 @@ func (k *KubeBoot) syncOnce(ctx context.Context) error {
|
|||
klog.Warningf("error bootstrapping master node labels: %v", err)
|
||||
}
|
||||
}
|
||||
if k.InitializeRBAC {
|
||||
if err := applyRBAC(ctx, k.Kubernetes); err != nil {
|
||||
klog.Warningf("error initializing rbac: %v", err)
|
||||
}
|
||||
}
|
||||
for _, channel := range k.Channels {
|
||||
if err := applyChannel(channel); err != nil {
|
||||
klog.Warningf("error applying channel %q: %v", channel, err)
|
||||
|
|
|
|||
|
|
@ -1,138 +0,0 @@
|
|||
/*
|
||||
Copyright 2017 The Kubernetes Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package protokube
|
||||
|
||||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
|
||||
v1 "k8s.io/api/core/v1"
|
||||
rbac "k8s.io/api/rbac/v1beta1"
|
||||
apierrors "k8s.io/apimachinery/pkg/api/errors"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/client-go/kubernetes"
|
||||
|
||||
"k8s.io/klog/v2"
|
||||
)
|
||||
|
||||
// applyRBAC is responsible for initializing RBAC
|
||||
func applyRBAC(ctx context.Context, kubeContext *KubernetesContext) error {
|
||||
k8sClient, err := kubeContext.KubernetesClient()
|
||||
if err != nil {
|
||||
return fmt.Errorf("error connecting to kubernetes: %v", err)
|
||||
}
|
||||
clientset := k8sClient.(*kubernetes.Clientset)
|
||||
|
||||
var errors []error
|
||||
// kube-dns & kube-proxy service accounts
|
||||
if err := createServiceAccounts(ctx, clientset); err != nil {
|
||||
errors = append(errors, fmt.Errorf("error creating service accounts: %v", err))
|
||||
}
|
||||
//Currently all kubeadm specific
|
||||
if err := createClusterRoleBindings(ctx, clientset); err != nil {
|
||||
errors = append(errors, fmt.Errorf("error creating cluster role bindings: %v", err))
|
||||
}
|
||||
|
||||
if len(errors) != 0 {
|
||||
if len(errors) != 1 {
|
||||
for _, err := range errors {
|
||||
klog.Warningf("Error configuring RBAC: %v", err)
|
||||
}
|
||||
}
|
||||
return errors[0]
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// The below code should mirror the code in kubeadm.
|
||||
// We'll develop it here then contribute it back once they are out of core -
|
||||
// otherwise it is using the wrong version of the k8s client.
|
||||
const (
|
||||
// KubeProxyClusterRoleName sets the name for the kube-proxy ClusterRole
|
||||
KubeProxyClusterRoleName = "system:node-proxier"
|
||||
|
||||
clusterRoleKind = "ClusterRole"
|
||||
serviceAccountKind = "ServiceAccount"
|
||||
rbacAPIGroup = "rbac.authorization.k8s.io"
|
||||
|
||||
// Constants for what we name our ServiceAccounts with limited access to the cluster in case of RBAC
|
||||
KubeDNSServiceAccountName = "kube-dns"
|
||||
KubeProxyServiceAccountName = "kube-proxy"
|
||||
)
|
||||
|
||||
// createServiceAccounts creates the necessary serviceaccounts that kubeadm uses/might use, if they don't already exist.
|
||||
func createServiceAccounts(ctx context.Context, clientset kubernetes.Interface) error {
|
||||
serviceAccounts := []v1.ServiceAccount{
|
||||
{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: KubeDNSServiceAccountName,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
},
|
||||
},
|
||||
{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: KubeProxyServiceAccountName,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, sa := range serviceAccounts {
|
||||
if _, err := clientset.CoreV1().ServiceAccounts(metav1.NamespaceSystem).Create(ctx, &sa, metav1.CreateOptions{}); err != nil {
|
||||
if !apierrors.IsAlreadyExists(err) {
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func createClusterRoleBindings(ctx context.Context, clientset *kubernetes.Clientset) error {
|
||||
clusterRoleBindings := []rbac.ClusterRoleBinding{
|
||||
{
|
||||
ObjectMeta: metav1.ObjectMeta{
|
||||
Name: "kubeadm:node-proxier",
|
||||
},
|
||||
RoleRef: rbac.RoleRef{
|
||||
APIGroup: rbacAPIGroup,
|
||||
Kind: clusterRoleKind,
|
||||
Name: KubeProxyClusterRoleName,
|
||||
},
|
||||
Subjects: []rbac.Subject{
|
||||
{
|
||||
Kind: serviceAccountKind,
|
||||
Name: KubeProxyServiceAccountName,
|
||||
Namespace: metav1.NamespaceSystem,
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
|
||||
for _, clusterRoleBinding := range clusterRoleBindings {
|
||||
if _, err := clientset.RbacV1beta1().ClusterRoleBindings().Create(ctx, &clusterRoleBinding, metav1.CreateOptions{}); err != nil {
|
||||
if !apierrors.IsAlreadyExists(err) {
|
||||
return fmt.Errorf("unable to create RBAC clusterrolebinding: %v", err)
|
||||
}
|
||||
|
||||
if _, err := clientset.RbacV1beta1().ClusterRoleBindings().Update(ctx, &clusterRoleBinding, metav1.UpdateOptions{}); err != nil {
|
||||
return fmt.Errorf("unable to update RBAC clusterrolebinding: %v", err)
|
||||
}
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
|
@ -3,3 +3,35 @@ apiVersion: v1
|
|||
kind: Namespace
|
||||
metadata:
|
||||
name: kube-system
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kube-dns
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-addon: core.addons.k8s.io
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: kube-proxy
|
||||
namespace: kube-system
|
||||
labels:
|
||||
k8s-addon: core.addons.k8s.io
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: kubeadm:node-proxier
|
||||
labels:
|
||||
k8s-addon: core.addons.k8s.io
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: system:node-proxier
|
||||
subjects:
|
||||
- apiGroup: rbac.authorization.k8s.io
|
||||
kind: ServiceAccount
|
||||
name: kube-proxy
|
||||
namespace: kube-system
|
||||
|
|
|
|||
Loading…
Reference in New Issue