github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-03 17:30:00 +00:00
Code Issues Projects Releases Wiki Activity

[Federation][kubefed] Create a dedicated service account for federation controller manager in the host cluster and give it appropriate permissions.

Browse Source
This commit is contained in:
Madhusudan.C.S 2017-01-25 17:02:48 -08:00
parent 4f969bdfc2
commit 1bb80bca08
1 changed files with 68 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

71
federation/pkg/kubefed/init/init.go
View File

@ -47,6 +47,7 @@ import (
"k8s.io/kubernetes/pkg/api" "k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api/resource" "k8s.io/kubernetes/pkg/api/resource"
"k8s.io/kubernetes/pkg/apis/extensions" "k8s.io/kubernetes/pkg/apis/extensions"
"k8s.io/kubernetes/pkg/apis/rbac"
client "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset" client "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/kubectl/cmd/templates" "k8s.io/kubernetes/pkg/kubectl/cmd/templates"
cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util" cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"
@ -62,6 +63,16 @@ const (
AdminCN = "admin" AdminCN = "admin"
HostClusterLocalDNSZoneName = "cluster.local." HostClusterLocalDNSZoneName = "cluster.local."
// User name used by federation controller manager to make
// calls to federation API server.
ControllerManagerUser = "federation-controller-manager"
// Name of the ServiceAccount used by the federation controller manager.
ControllerManagerSA = "federation-controller-manager"
// Group name of the legacy/core API group
legacyAPIGroup = ""
lbAddrRetryInterval = 5 * time.Second lbAddrRetryInterval = 5 * time.Second
podWaitInterval = 2 * time.Second podWaitInterval = 2 * time.Second
) )
@ -220,7 +231,21 @@ func initFederation(cmdOut io.Writer, config util.AdminConfig, cmd *cobra.Comman
} }
// 7. Create federation controller manager // 7. Create federation controller manager
_, err = createControllerManager(hostClientset, initFlags.FederationSystemNamespace, initFlags.Name, svc.Name, cmName, image, cmKubeconfigName, dnsZoneName, dnsProvider, dryRun) // 7a. Create service accounts for federation controller manager
sa, err := createControllerManagerSA(hostClientset, initFlags.FederationSystemNamespace, dryRun)
if err != nil {
return err
}
// 7b. Create RBAC role and role binding for federation controller
// manager service account.
_, _, err = createRoleBindings(hostClientset, initFlags.FederationSystemNamespace, sa.Name, dryRun)
if err != nil {
return err
}
// 7c. Create federation controller manager deployment.
_, err = createControllerManager(hostClientset, initFlags.FederationSystemNamespace, initFlags.Name, svc.Name, cmName, image, cmKubeconfigName, dnsZoneName, dnsProvider, sa.Name, dryRun)
if err != nil { if err != nil {
return err return err
} }
@ -375,7 +400,7 @@ func createControllerManagerKubeconfigSecret(clientset *client.Clientset, namesp
config := kubeadmkubeconfigphase.MakeClientConfigWithCerts( config := kubeadmkubeconfigphase.MakeClientConfigWithCerts(
fmt.Sprintf("https://%s", svcName), fmt.Sprintf("https://%s", svcName),
name, name,
"federation-controller-manager", ControllerManagerUser,
certutil.EncodeCertPEM(entKeyPairs.ca.Cert), certutil.EncodeCertPEM(entKeyPairs.ca.Cert),
certutil.EncodePrivateKeyPEM(entKeyPairs.controllerManager.Key), certutil.EncodePrivateKeyPEM(entKeyPairs.controllerManager.Key),
certutil.EncodeCertPEM(entKeyPairs.controllerManager.Cert), certutil.EncodeCertPEM(entKeyPairs.controllerManager.Cert),
@ -520,7 +545,46 @@ func createAPIServer(clientset *client.Clientset, namespace, name, image, creden
return clientset.Extensions().Deployments(namespace).Create(dep) return clientset.Extensions().Deployments(namespace).Create(dep)
} }
func createControllerManager(clientset *client.Clientset, namespace, name, svcName, cmName, image, kubeconfigName, dnsZoneName, dnsProvider string, dryRun bool) (*extensions.Deployment, error) { func createControllerManagerSA(clientset *client.Clientset, namespace string, dryRun bool) (*api.ServiceAccount, error) {
sa := &api.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: ControllerManagerSA,
Namespace: namespace,
},
}
if dryRun {
return sa, nil
}
return clientset.Core().ServiceAccounts(namespace).Create(sa)
}
func createRoleBindings(clientset *client.Clientset, namespace, saName string, dryRun bool) (*rbac.Role, *rbac.RoleBinding, error) {
roleName := "federation-system:federation-controller-manager"
role := &rbac.Role{
// a role to use for bootstrapping the federation-controller-manager so it can access
// secrets in the host cluster to access other clusters.
ObjectMeta: metav1.ObjectMeta{
Name: roleName,
},
Rules: []rbac.PolicyRule{
rbac.NewRule("get", "list", "watch").Groups(legacyAPIGroup).Resources("secrets").RuleOrDie(),
},
}
rolebinding := rbac.NewRoleBinding(roleName, namespace).SAs(namespace, saName).BindingOrDie()
if dryRun {
newRole, err := clientset.Rbac().Roles(namespace).Create(role)
if err != nil {
return nil, nil, err
}
newRolebinding, err := clientset.Rbac().RoleBindings(namespace).Create(&rolebinding)
return newRole, newRolebinding, err
}
return role, &rolebinding, nil
}
func createControllerManager(clientset *client.Clientset, namespace, name, svcName, cmName, image, kubeconfigName, dnsZoneName, dnsProvider, saName string, dryRun bool) (*extensions.Deployment, error) {
dep := &extensions.Deployment{ dep := &extensions.Deployment{
ObjectMeta: metav1.ObjectMeta{ ObjectMeta: metav1.ObjectMeta{
Name: cmName, Name: cmName,
@ -578,6 +642,7 @@ func createControllerManager(clientset *client.Clientset, namespace, name, svcNa
}, },
}, },
}, },
ServiceAccountName: saName,
}, },
}, },
}, },