Merge pull request #57455 from kawych/fix_metadata_agent

Automatic merge from submit-queue (batch tested with PRs 54680, 59388, 57455). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Fix RBAC permissions for metadata agent. **What this PR does / why we need it**: Allows Stackdriver Metadata Agent to watch nodes and pods **Release note**: ```release-note Fix RBAC permissions for Stackdriver Metadata Agent. ```
2025-08-11 21:12:07 +00:00 · 2018-02-06 06:40:34 -08:00 · 2018-02-06 06:40:34 -08:00 · 77ca1af895
commit 77ca1af895
parent 9a8bb0098b b8ed82711c
2 changed files with 47 additions and 5 deletions
--- a/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
+++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent-rbac.yaml
@ -0,0 +1,32 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:metadata-agent
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+rules:
+- apiGroups:
+  - ""
+  - "apps"
+  - "extensions"
+  resources:
+  - "*"
+  verbs:
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:metadata-agent
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metadata-agent
+subjects:
+- kind: ServiceAccount
+  name: metadata-agent
+  namespace: kube-system
--- a/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml
+++ b/cluster/addons/metadata-agent/stackdriver/metadata-agent.yaml
@ -1,23 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metadata-agent
+  namespace: kube-system
+  labels:
+    kubernetes.io/cluster-service: "true"
+    addonmanager.kubernetes.io/mode: Reconcile
+---
 kind: DaemonSet
 apiVersion: extensions/v1beta1
 metadata:
  labels:
-    app: stackdriver-agents
+    app: metadata-agent
    kubernetes.io/cluster-service: "true"
    addonmanager.kubernetes.io/mode: Reconcile
-  name: stackdriver-agents
+  name: metadata-agent
  namespace: kube-system
 spec:
  selector:
    matchLabels:
-      app: stackdriver-agents
+      app: metadata-agent
  template:
    metadata:
      labels:
-        app: stackdriver-agents
+        app: metadata-agent
    spec:
+      serviceAccountName: metadata-agent
      containers:
-      - image: us.gcr.io/container-monitoring-storage/stackdriver-metadata-agent:{{ metadata_agent_version }}
+      - image: gcr.io/stackdriver-agents/stackdriver-metadata-agent:{{ metadata_agent_version }}
        imagePullPolicy: IfNotPresent
        name: metadata-agent
        ports: