github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 21:17:23 +00:00
Code Issues Projects Releases Wiki Activity

move kube-dns to a separate service account

Browse Source
This commit is contained in:
deads2k 2016-12-15 09:52:56 -05:00
parent ba6dca94bc
commit 36b586d5d7
12 changed files with 58 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cluster/addons/dns/kubedns-controller.yaml.base
View File

@ -157,3 +157,4 @@ spec:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns

1
cluster/addons/dns/kubedns-controller.yaml.in
View File

@ -157,3 +157,4 @@ spec:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns

1
cluster/addons/dns/kubedns-controller.yaml.sed
View File

@ -156,3 +156,4 @@ spec:
memory: 20Mi memory: 20Mi
cpu: 10m cpu: 10m
dnsPolicy: Default # Don't use cluster DNS. dnsPolicy: Default # Don't use cluster DNS.
serviceAccountName: kube-dns

6
cluster/addons/dns/kubedns-sa.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-dns
labels:
kubernetes.io/cluster-service: "true"

1
cluster/centos/deployAddons.sh
View File

@ -33,6 +33,7 @@ function deploy_dns {
if [ ! "$KUBEDNS" ]; then if [ ! "$KUBEDNS" ]; then
# use kubectl to create kube-dns deployment and service # use kubectl to create kube-dns deployment and service
${KUBECTL} --namespace=kube-system create -f kubedns-sa.yaml
${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml ${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml
${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml ${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml

1
cluster/libvirt-coreos/config-default.sh
View File

@ -67,6 +67,7 @@ ENABLE_DNS_HORIZONTAL_AUTOSCALER="${KUBE_ENABLE_DNS_HORIZONTAL_AUTOSCALER:-false
#Generate dns files #Generate dns files
sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed" > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-controller.yaml" sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed" > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-controller.yaml"
sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed" > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-svc.yaml" sed -f "${KUBE_ROOT}/cluster/addons/dns/transforms2sed.sed" < "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.base" | sed -f "${KUBE_ROOT}/cluster/libvirt-coreos/forShellEval.sed" > "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-svc.yaml"
cp "${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml" "${KUBE_ROOT}/cluster/libvirt-coreos/kubedns-sa.yaml"
#Generate registry files #Generate registry files

1
cluster/libvirt-coreos/util.sh
View File

@ -187,6 +187,7 @@ function initialize-pool {
render-template "$ROOT/namespace.yaml" > "$POOL_PATH/kubernetes/addons/namespace.yaml" render-template "$ROOT/namespace.yaml" > "$POOL_PATH/kubernetes/addons/namespace.yaml"
render-template "$ROOT/kubedns-svc.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-svc.yaml" render-template "$ROOT/kubedns-svc.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-svc.yaml"
render-template "$ROOT/kubedns-controller.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-controller.yaml" render-template "$ROOT/kubedns-controller.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-controller.yaml"
render-template "$ROOT/kubedns-sa.yaml" > "$POOL_PATH/kubernetes/addons/kubedns-sa.yaml"
fi fi
virsh pool-refresh $POOL virsh pool-refresh $POOL

2
cluster/ubuntu/deployAddons.sh
View File

@ -43,11 +43,13 @@ function deploy_dns {
echo "Deploying DNS on Kubernetes" echo "Deploying DNS on Kubernetes"
sed -e "s/\\\$DNS_DOMAIN/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.sed" > kubedns-controller.yaml sed -e "s/\\\$DNS_DOMAIN/${DNS_DOMAIN}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-controller.yaml.sed" > kubedns-controller.yaml
sed -e "s/\\\$DNS_SERVER_IP/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.sed" > kubedns-svc.yaml sed -e "s/\\\$DNS_SERVER_IP/${DNS_SERVER_IP}/g" "${KUBE_ROOT}/cluster/addons/dns/kubedns-svc.yaml.sed" > kubedns-svc.yaml
cp "${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml" kubedns-sa.yaml
KUBEDNS=`eval "${KUBECTL} get services --namespace=kube-system | grep kube-dns | cat"` KUBEDNS=`eval "${KUBECTL} get services --namespace=kube-system | grep kube-dns | cat"`
if [ ! "$KUBEDNS" ]; then if [ ! "$KUBEDNS" ]; then
# use kubectl to create kubedns controller and service # use kubectl to create kubedns controller and service
${KUBECTL} --namespace=kube-system create -f kubedns-sa.yaml
${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml ${KUBECTL} --namespace=kube-system create -f kubedns-controller.yaml
${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml ${KUBECTL} --namespace=kube-system create -f kubedns-svc.yaml

1
hack/local-up-cluster.sh
View File

@ -680,6 +680,7 @@ function start_kubedns {
# TODO update to dns role once we have one. # TODO update to dns role once we have one.
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create clusterrolebinding system:kube-dns --clusterrole=cluster-admin --serviceaccount=kube-system:default ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" create clusterrolebinding system:kube-dns --clusterrole=cluster-admin --serviceaccount=kube-system:default
# use kubectl to create kubedns deployment and service # use kubectl to create kubedns deployment and service
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f ${KUBE_ROOT}/cluster/addons/dns/kubedns-sa.yaml
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-deployment.yaml ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-deployment.yaml
${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-svc.yaml ${KUBECTL} --kubeconfig="${CERT_DIR}/admin.kubeconfig" --namespace=kube-system create -f kubedns-svc.yaml
echo "Kube-dns deployment and service successfully deployed." echo "Kube-dns deployment and service successfully deployed."

8
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
View File

@ -339,6 +339,13 @@ func ClusterRoles() []rbac.ClusterRole {
rbac.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(), rbac.NewRule(Read...).Groups(legacyGroup).Resources("persistentvolumeclaims", "persistentvolumes").RuleOrDie(),
}, },
}, },
{
// a role to use for the kube-dns pod
ObjectMeta: metav1.ObjectMeta{Name: "system:kube-dns"},
Rules: []rbac.PolicyRule{
rbac.NewRule("list", "watch").Groups(legacyGroup).Resources("endpoints", "services").RuleOrDie(),
},
},
{ {
// a role for an external/out-of-tree persistent volume provisioner // a role for an external/out-of-tree persistent volume provisioner
ObjectMeta: metav1.ObjectMeta{Name: "system:persistent-volume-provisioner"}, ObjectMeta: metav1.ObjectMeta{Name: "system:persistent-volume-provisioner"},
@ -368,6 +375,7 @@ func ClusterRoleBindings() []rbac.ClusterRoleBinding {
rbac.NewClusterBinding("system:node").Groups(user.NodesGroup).BindingOrDie(), rbac.NewClusterBinding("system:node").Groups(user.NodesGroup).BindingOrDie(),
rbac.NewClusterBinding("system:node-proxier").Users(user.KubeProxy).BindingOrDie(), rbac.NewClusterBinding("system:node-proxier").Users(user.KubeProxy).BindingOrDie(),
rbac.NewClusterBinding("system:kube-controller-manager").Users(user.KubeControllerManager).BindingOrDie(), rbac.NewClusterBinding("system:kube-controller-manager").Users(user.KubeControllerManager).BindingOrDie(),
rbac.NewClusterBinding("system:kube-dns").SAs("kube-system", "kube-dns").BindingOrDie(),
rbac.NewClusterBinding("system:kube-scheduler").Users(user.KubeScheduler).BindingOrDie(), rbac.NewClusterBinding("system:kube-scheduler").Users(user.KubeScheduler).BindingOrDie(),
} }
addClusterRoleBindingLabel(rolebindings) addClusterRoleBindingLabel(rolebindings)

17
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-role-bindings.yaml vendored
View File

@ -74,6 +74,23 @@ items:
- apiGroup: rbac.authorization.k8s.io - apiGroup: rbac.authorization.k8s.io
kind: User kind: User
name: system:kube-controller-manager name: system:kube-controller-manager
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-dns
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:kube-dns
subjects:
- kind: ServiceAccount
name: kube-dns
namespace: kube-system
- apiVersion: rbac.authorization.k8s.io/v1beta1 - apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:

18
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml vendored
View File

@ -530,6 +530,24 @@ items:
verbs: verbs:
- list - list
- watch - watch
- apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: null
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:kube-dns
rules:
- apiGroups:
- ""
resources:
- endpoints
- services
verbs:
- list
- watch
- apiVersion: rbac.authorization.k8s.io/v1beta1 - apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole kind: ClusterRole
metadata: metadata: