From 4bc0da349d710b215d25732eb6b32be207cd967c Mon Sep 17 00:00:00 2001 From: simt2 Date: Mon, 22 May 2017 10:47:48 +0200 Subject: [PATCH] Add rbac support to fluentd-elasticsearch --- .../fluentd-elasticsearch/es-clusterrole.yaml | 17 +++++++++++++++++ .../es-clusterrolebinding.yaml | 18 ++++++++++++++++++ .../fluentd-elasticsearch/es-controller.yaml | 1 + .../es-serviceaccount.yaml | 10 ++++++++++ .../fluentd-es-clusterrole.yaml | 18 ++++++++++++++++++ .../fluentd-es-clusterrolebinding.yaml | 17 +++++++++++++++++ .../fluentd-elasticsearch/fluentd-es-ds.yaml | 1 + .../fluentd-es-serviceaccount.yaml | 9 +++++++++ 8 files changed, 91 insertions(+) create mode 100644 cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml create mode 100644 cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml create mode 100644 cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml create mode 100644 cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml create mode 100644 cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml create mode 100644 cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml diff --git a/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml b/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml new file mode 100644 index 00000000000..e77f51cd2d2 --- /dev/null +++ b/cluster/addons/fluentd-elasticsearch/es-clusterrole.yaml @@ -0,0 +1,17 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: elasticsearch-logging + labels: + k8s-app: elasticsearch-logging + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - "" + resources: + - "services" + - "namespaces" + - "endpoints" + verbs: + - "get" diff --git a/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml b/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml new file mode 100644 index 00000000000..ee3847bb814 --- /dev/null +++ b/cluster/addons/fluentd-elasticsearch/es-clusterrolebinding.yaml @@ -0,0 +1,18 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + namespace: kube-system + name: elasticsearch-logging + labels: + k8s-app: elasticsearch-logging + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +subjects: +- kind: ServiceAccount + name: elasticsearch-logging + namespace: kube-system + apiGroup: "" +roleRef: + kind: ClusterRole + name: elasticsearch-logging + apiGroup: "" diff --git a/cluster/addons/fluentd-elasticsearch/es-controller.yaml b/cluster/addons/fluentd-elasticsearch/es-controller.yaml index 7fc0d231b15..37aadaf8e23 100644 --- a/cluster/addons/fluentd-elasticsearch/es-controller.yaml +++ b/cluster/addons/fluentd-elasticsearch/es-controller.yaml @@ -20,6 +20,7 @@ spec: version: v1 kubernetes.io/cluster-service: "true" spec: + serviceAccountName: elasticsearch-logging containers: - image: gcr.io/google_containers/elasticsearch:v2.4.1-2 name: elasticsearch-logging diff --git a/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml b/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml new file mode 100644 index 00000000000..6f4ede424e1 --- /dev/null +++ b/cluster/addons/fluentd-elasticsearch/es-serviceaccount.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: elasticsearch-logging + namespace: kube-system + labels: + k8s-app: elasticsearch-logging + version: v1 + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml new file mode 100644 index 00000000000..354956471ec --- /dev/null +++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrole.yaml @@ -0,0 +1,18 @@ +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: fluentd-es + labels: + k8s-app: fluentd-es + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +rules: +- apiGroups: + - "" + resources: + - "namespaces" + - "pods" + verbs: + - "get" + - "watch" + - "list" diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml new file mode 100644 index 00000000000..24ff206ee03 --- /dev/null +++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-clusterrolebinding.yaml @@ -0,0 +1,17 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: fluentd-es + labels: + k8s-app: fluentd-es + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile +subjects: +- kind: ServiceAccount + name: fluentd-es + namespace: kube-system + apiGroup: "" +roleRef: + kind: ClusterRole + name: fluentd-es + apiGroup: "" diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml index 211291e38ad..bfb26779c93 100644 --- a/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml +++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-ds.yaml @@ -21,6 +21,7 @@ spec: annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: + serviceAccountName: fluentd-es containers: - name: fluentd-es image: gcr.io/google_containers/fluentd-elasticsearch:1.22 diff --git a/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml b/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml new file mode 100644 index 00000000000..3a26be215b7 --- /dev/null +++ b/cluster/addons/fluentd-elasticsearch/fluentd-es-serviceaccount.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fluentd-es + namespace: kube-system + labels: + k8s-app: fluentd-es + kubernetes.io/cluster-service: "true" + addonmanager.kubernetes.io/mode: Reconcile