From 24e319c056ef668f9b67f472d93ad7ee3ea5ef19 Mon Sep 17 00:00:00 2001
From: Jonathan Pulsifer <jonathan@pulsifer.ca>
Date: Mon, 16 Oct 2017 11:43:47 -0400
Subject: [PATCH] RBAC for Calico Typha Horizontal Autoscaler

---
 .../typha-horizontal-autoscaler-clusterrole.yaml | 11 +++++++++++
 ...horizontal-autoscaler-clusterrolebinding.yaml | 15 +++++++++++++++
 .../typha-horizontal-autoscaler-deployment.yaml  |  1 +
 .../typha-horizontal-autoscaler-role.yaml        | 16 ++++++++++++++++
 .../typha-horizontal-autoscaler-rolebinding.yaml | 16 ++++++++++++++++
 ...pha-horizontal-autoscaler-serviceaccount.yaml |  8 ++++++++
 6 files changed, 67 insertions(+)
 create mode 100644 cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml
 create mode 100644 cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml
 create mode 100644 cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml
 create mode 100644 cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml
 create mode 100644 cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml

diff --git a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml
new file mode 100644
index 00000000000..faa6f7e4e6a
--- /dev/null
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrole.yaml
@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRole
+metadata:
+  name: typha-cpha
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["list"]
diff --git a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml
new file mode 100644
index 00000000000..87b427fe383
--- /dev/null
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-clusterrolebinding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: typha-cpha
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: typha-cpha
+subjects:
+  - kind: ServiceAccount
+    name: typha-cpha
+    namespace: kube-system
diff --git a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
index b5d7f657d58..4f493b8bcf3 100644
--- a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-deployment.yaml
@@ -31,3 +31,4 @@ spec:
               cpu: 10m
             limits:
               cpu: 10m
+      serviceAccountName: typha-cpha
diff --git a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml
new file mode 100644
index 00000000000..e289258adb5
--- /dev/null
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-role.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: Role
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get"]
+  - apiGroups: ["extensions"]
+    resources: ["deployments/scale"]
+    verbs: ["get", "update"]
+
diff --git a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml
new file mode 100644
index 00000000000..3fc1326e86c
--- /dev/null
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-rolebinding.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: typha-cpha
+subjects:
+  - kind: ServiceAccount
+    name: typha-cpha
+    namespace: kube-system
diff --git a/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml
new file mode 100644
index 00000000000..429b40a85eb
--- /dev/null
+++ b/cluster/addons/calico-policy-controller/typha-horizontal-autoscaler-serviceaccount.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: typha-cpha
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile